From 707e319f602b228e0f094c8185c5220a2c33c61b Mon Sep 17 00:00:00 2001
From: Benjamin Franzke <ben@bnf.dev>
Date: Tue, 14 Nov 2023 09:57:21 +0100
Subject: [PATCH] [SECURITY] Upgrade to typo3/html-sanitizer v2.1.4
See https://github.com/TYPO3/html-sanitizer/releases/tag/v2.1.4
composer req typo3/html-sanitizer:^2.1.4
composer req typo3/html-sanitizer:^2.1.4 \
-d typo3/sysext/core --no-update
Resolves: #102169
Releases: main, 12.4, 11.5
Change-Id: I76edb7ff0dc66d3308d5c0875c2db56ca02addd7
Security-Bulletin: TYPO3-CORE-SA-2023-007
Security-References: CVE-2023-47125
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81732
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
---
composer.json | 2 +-
composer.lock | 16 ++++++++--------
.../DataHandling/DataHandler/SecurityTest.php | 7 +++++++
.../Html/DefaultSanitizerBuilderTest.php | 13 +++++++++++++
typo3/sysext/core/composer.json | 2 +-
.../ViewHelpers/Sanitize/HtmlViewHelperTest.php | 1 +
.../Rendering/SecureHtmlRenderingTest.php | 8 ++++++++
7 files changed, 39 insertions(+), 10 deletions(-)
diff --git a/composer.json b/composer.json
index 68638c8f7c20..3def64c241da 100644
--- a/composer.json
+++ b/composer.json
@@ -97,7 +97,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
- "typo3/html-sanitizer": "^2.1.3",
+ "typo3/html-sanitizer": "^2.1.4",
"typo3/phar-stream-wrapper": "^3.1.7",
"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
"typo3fluid/fluid": "^2.7.2"
diff --git a/composer.lock b/composer.lock
index 571de3e1ed04..1ab82ee31e49 100644
--- a/composer.lock
+++ b/composer.lock
@@ -4,7 +4,7 @@
"Read more about it at https://getcomposer.org/doc/01-basic-usage.md#installing-dependencies",
"This file is @generated automatically"
],
- "content-hash": "dd3af25ec4a97765f03c9bf04eee6af8",
+ "content-hash": "2670bff3895b668f59189949cba04ec8",
"packages": [
{
"name": "bacon/bacon-qr-code",
@@ -5006,16 +5006,16 @@
},
{
"name": "typo3/html-sanitizer",
- "version": "v2.1.3",
+ "version": "v2.1.4",
"source": {
"type": "git",
"url": "https://github.com/TYPO3/html-sanitizer.git",
- "reference": "a35f220b2336e3f040f91d3de23d19964833643f"
+ "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff"
},
"dist": {
"type": "zip",
- "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/a35f220b2336e3f040f91d3de23d19964833643f",
- "reference": "a35f220b2336e3f040f91d3de23d19964833643f",
+ "url": "https://api.github.com/repos/TYPO3/html-sanitizer/zipball/b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
+ "reference": "b8f90717251d968c49dc77f8c1e5912e2fbe0dff",
"shasum": ""
},
"require": {
@@ -5051,9 +5051,9 @@
"description": "HTML sanitizer aiming to provide XSS-safe markup based on explicitly allowed tags, attributes and values.",
"support": {
"issues": "https://github.com/TYPO3/html-sanitizer/issues",
- "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.3"
+ "source": "https://github.com/TYPO3/html-sanitizer/tree/v2.1.4"
},
- "time": "2023-07-25T08:47:32+00:00"
+ "time": "2023-11-14T07:41:08+00:00"
},
{
"name": "typo3/phar-stream-wrapper",
@@ -9257,5 +9257,5 @@
"platform-overrides": {
"php": "7.4.1"
},
- "plugin-api-version": "2.3.0"
+ "plugin-api-version": "2.6.0"
}
diff --git a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
index 871646bbc28c..cbd564c3d29d 100644
--- a/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
+++ b/typo3/sysext/core/Tests/Functional/DataHandling/DataHandler/SecurityTest.php
@@ -226,6 +226,13 @@ class SecurityTest extends FunctionalTestCase
'<p><a href="t3://page?uid=1" target="_blank" rel="noreferrer" role="button" onmouseover="alert(1)">text</a></p>',
],
],
+ [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ ],
+ ],
];
}
diff --git a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
index 6e4d74335d11..004e5040e6b5 100644
--- a/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
+++ b/typo3/sysext/core/Tests/Functional/Html/DefaultSanitizerBuilderTest.php
@@ -162,6 +162,18 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
'<span style="color: orange">value</span>',
'<span style="color: orange">value</span>',
],
+ '#912' => [
+ '<!---><p>',
+ '<!---><p>-->',
+ ],
+ '#913' => [
+ '<!---!><p>',
+ '<!---!><p>-->',
+ ],
+ '#941' => [
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ '<?xml >s<img src=x onerror=alert(1)> ?>',
+ ],
];
}
@@ -221,6 +233,7 @@ class DefaultSanitizerBuilderTest extends FunctionalTestCase
$sanitizer->sanitize('<script>alert(1)</script>', new SanitizerInitiator($trace));
$logItemDataExpectation = [
'behavior' => 'default',
+ 'nodeType' => 1,
'nodeName' => 'script',
'initiator' => $trace,
];
diff --git a/typo3/sysext/core/composer.json b/typo3/sysext/core/composer.json
index 4960d08d5d50..d2ddca44788f 100644
--- a/typo3/sysext/core/composer.json
+++ b/typo3/sysext/core/composer.json
@@ -73,7 +73,7 @@
"typo3/class-alias-loader": "^1.1.4",
"typo3/cms-cli": "^3.1",
"typo3/cms-composer-installers": "^2.0 || ^3.0 || ^4.0",
- "typo3/html-sanitizer": "^2.1.3",
+ "typo3/html-sanitizer": "^2.1.4",
"typo3/phar-stream-wrapper": "^3.1.7",
"typo3/symfony-psr-event-dispatcher-adapter": "^1.0 || ^2.0",
"typo3fluid/fluid": "^2.7.2"
diff --git a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
index e9aa43f1027d..efad1cae20ac 100644
--- a/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
+++ b/typo3/sysext/fluid/Tests/Functional/ViewHelpers/Sanitize/HtmlViewHelperTest.php
@@ -98,6 +98,7 @@ class HtmlViewHelperTest extends FunctionalTestCase
$logItemDataExpectation = [
'behavior' => 'default',
+ 'nodeType' => 1,
'nodeName' => 'script',
'initiator' => HtmlViewHelper::class,
];
diff --git a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
index 7a34ac7b8980..97e7d2656a59 100644
--- a/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
+++ b/typo3/sysext/fluid_styled_content/Tests/Functional/Rendering/SecureHtmlRenderingTest.php
@@ -119,6 +119,14 @@ class SecureHtmlRenderingTest extends FunctionalTestCase
'07: <a href="t3://page?uid=1000" target="_blank" rel="noreferrer" class="button" role="button" onmouseover="alert(1)">TYPO3</a>',
'<p>07: <a href="/" target="_blank" rel="noreferrer" class="button" role="button">TYPO3</a></p>',
],
+ '#08' => [
+ '08: <?xml >s<img src=x onerror=alert(1)> ?>',
+ // Note: The TYPO3 HTML Parser encodes processing instructions, it's therefore
+ // expected and "OK" that the img tag is not encoded but sanitized.
+ // If the HTML Parser would not run, the expected result would be:
+ // '<p>08: <?xml >s<img src=x onerror=alert(1)> ?></p>',
+ '<p>08: <?xml >s<img src="x"> ?></p>',
+ ],
];
}
--
GitLab