[SECURITY] Avoid out-of-scope page access for non-matching site
This change disallows calling an URI with page-id query parameters that are not part of a particular site - for instance the following URL `https://example.org/?id=3000&L=0` has two aspects: * the site `example.org` has the root page-id 1000 * the site `internal.example.org` has the root page-id 3000 The example above allows to call a page-id for an internal site, by using a valid and public entry point. The new feature flag `security.frontend.allowInsecureSiteResolutionByQueryParameters` allows to control this behavior for backward compatibility reasons. Per default `allowInsecureSiteResolutionByQueryParameters` is disabled. Resolves: #100889 Releases: main, 12.4, 11.5 Change-Id: I88d565b5d9bea556b4f754c3069d56124cea98bd Security-Bulletin: TYPO3-CORE-SA-2023-003 Security-References: CVE-2023-38499 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/80156 Tested-by:Oliver Hader <oliver.hader@typo3.org> Reviewed-by:
Showing
- typo3/sysext/core/Classes/Routing/SiteMatcher.php 127 additions, 68 deletionstypo3/sysext/core/Classes/Routing/SiteMatcher.php
- typo3/sysext/core/Classes/Routing/SiteRouteResult.php 11 additions, 0 deletionstypo3/sysext/core/Classes/Routing/SiteRouteResult.php
- typo3/sysext/core/Configuration/DefaultConfiguration.php 1 addition, 0 deletionstypo3/sysext/core/Configuration/DefaultConfiguration.php
- typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml 3 additions, 0 deletions...t/core/Configuration/DefaultConfigurationDescription.yaml
- typo3/sysext/core/Tests/Unit/Routing/SiteMatcherTest.php 20 additions, 0 deletionstypo3/sysext/core/Tests/Unit/Routing/SiteMatcherTest.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/SlugSiteRequestAllowInsecureSiteResolutionByQueryParametersDisabledTest.php 116 additions, 0 deletions...owInsecureSiteResolutionByQueryParametersDisabledTest.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/SlugSiteRequestAllowInsecureSiteResolutionByQueryParametersEnabledTest.php 118 additions, 0 deletions...lowInsecureSiteResolutionByQueryParametersEnabledTest.php
- typo3/sysext/frontend/Tests/Functional/SiteHandling/SlugSiteRequestTest.php 6 additions, 0 deletions...end/Tests/Functional/SiteHandling/SlugSiteRequestTest.php
- typo3/sysext/frontend/Tests/Unit/Middleware/SiteResolverTest.php 21 additions, 0 deletions...ysext/frontend/Tests/Unit/Middleware/SiteResolverTest.php
Please register or sign in to comment