From 6e989230a10a36934c56718f1ec866c2683fe815 Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Tue, 14 Nov 2023 09:58:11 +0100
Subject: [PATCH] [SECURITY] Upgrade to typo3/html-sanitizer v2.1.4
See https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.4
composer req typo3/html-sanitizer:^2.1.4
composer req typo3/html-sanitizer:^2.1.4 \
-d typo3/sysext/core --no-update
Resolves: #102169
Releases: main, 12.4, 11.5
Change-Id: I76edb7ff0dc66d3308d5c0875c2db56ca02addd7
Security-Bulletin: TYPO3-CORE-SA-2023-007
Security-References: CVE-2023-47125
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81737
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
---
composer.json | 2 +-
composer.lock | 14 +++++++-------
.../DataHandling/DataHandler/SecurityTest.php | 7 +++++++
.../Html/DefaultSanitizerBuilderTest.php | 13 +++++++++++++
typo3/sysext/core/composer.json | 2 +-
.../ViewHelpers/Sanitize/HtmlViewHelperTest.php | 1 +
.../Rendering/SecureHtmlRenderingTest.php | 8 ++++++++
7 files changed, 38 insertions(+), 9 deletions(-)
diff --git a/composer.json b/composer.json
index c1ed28c71992..6ccc1266025b 100644
--- a/composer.json
+++ b/composer.json
@@ -96,7 +96,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^5.0",
- "typo3/html-sanitizer": "^2.1.3",
+ "typo3/html-sanitizer": "^2.1.4",
"typo3fluid/fluid": "^2.9.2"
},
"require-dev": {
diff --git a/composer.lock b/composer.lock
index 24cda42fb014..33cb943bc946 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "3804c033560c628a027dfc79915afdb4",
+ "content-hash": "2220edce56b7861d31cf5b5c4b223a7f",
"packages": [
{
"name": "bacon/bacon-qr-code",
@@ -4773,16 +4773,16 @@
},
{
"name": "typo3/html-sanitizer",
- "version": "v2.1.3",
+ "version": "v2.1.4",
"source": {
"type": "git",
"url": "https://github.com/TYPO3/html-sanitizer.git",
- "reference": "a35f220b2336e3f040f91d3de23d19964833643f"
+ "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/a35f220b2336e3f040f91d3de23d19964833643f",
- "reference": "a35f220b2336e3f040f91d3de23d19964833643f",
+ "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
+ "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
"shasum": ""
},
"require": {
@@ -4818,9 +4818,9 @@
"description": "HTML sanitizer aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.",
"support": {
"issues": "https://github.com/TYPO3/html-sanitizer/issues",
- "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.3"
+ "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.4"
},
- "time": "2023-07-25T08:47:32+00:00"
+ "time": "2023-11-14T07:41:08+00:00"
},
{
"name": "typo3fluid/fluid",
diff --git a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
index 39965bdc7938..b4f5c8c3cbf9 100644
--- a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
+++ b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
@@ -227,6 +227,13 @@ final class SecurityTest extends FunctionalTestCase
'<p><a href="t3://page?uid=1" target="_blank" rel="noreferrer" role="button" onmouseover="alert(1)">text</a></p>',
],
],
+ [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ ],
+ ],
];
}
diff --git a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
index 612c25f18aad..9800249a85ee 100644
--- a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
+++ b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
@@ -145,6 +145,18 @@ final class DefaultSanitizerBuilderTest extends FunctionalTestCase
'<span style="color: orange">value</span>',
'<span style="color: orange">value</span>',
],
+ '#912' => [
+ '<!---><p>',
+ '<!---><p>-->',
+ ],
+ '#913' => [
+ '<!---!><p>',
+ '<!---!><p>-->',
+ ],
+ '#941' => [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ ],
];
}
@@ -202,6 +214,7 @@ final class DefaultSanitizerBuilderTest extends FunctionalTestCase
$sanitizer->sanitize('<script>alert(1)</script>', new SanitizerInitiator($trace));
$logItemDataExpectation = [
'behavior' => 'default',
+ 'nodeType' => 1,
'nodeName' => 'script',
'initiator' => $trace,
];
diff --git a/typo3/sysext/core/composer.json b/typo3/sysext/core/composer.json
index 6833553b070d..adbf204e5efc 100644
--- a/typo3/sysext/core/composer.json
+++ b/typo3/sysext/core/composer.json
@@ -72,7 +72,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^5.0",
- "typo3/html-sanitizer": "^2.1.3",
+ "typo3/html-sanitizer": "^2.1.4",
"typo3fluid/fluid": "^2.9.2"
},
"suggest": {
diff --git a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
index 7b7c4ecb63a6..d30a4597c104 100644
--- a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
+++ b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
@@ -94,6 +94,7 @@ final class HtmlViewHelperTest extends FunctionalTestCase
$logItemDataExpectation = [
'behavior' => 'default',
+ 'nodeType' => 1,
'nodeName' => 'script',
'initiator' => HtmlViewHelper::class,
];
diff --git a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
index 1d0444ec2b48..46b24afb2d26 100644
--- a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
+++ b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
@@ -109,6 +109,14 @@ final class SecureHtmlRenderingTest extends FunctionalTestCase
'07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
'<p>07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a></p>',
],
+ '#08' => [
+ '08: <?xml >s<img src=x onerror=alert(1)> ?>',
+ // Note: The TYPO3 HTML Parser encodes processing instructions, it's therefore
+ // expected and "OK" that the img tag is not encoded but sanitized.
+ // If the HTML Parser would not run, the expected result would be:
+ // '<p>08: <?xml >s<img src=x onerror=alert(1)> ?></p>',
+ '<p>08: <?xml >s<img src="x"> ?></p>',
+ ],
];
}
--
GitLab