[SECURITY] Prevent XSS due to wrong PATH_INFO evaluation
As already started in #88304 (but only for NormalizedParams)
and later reverted in #89312 (because of cgi-bin problems),
PATH_INFO is no longer considered as a preferable SCRIPT_NAME
alternative. All known server configurations set SCRIPT_NAME
these days to a proper value when cgi.fix_pathinfo is set.
The fallback to PATH_INFO has been introduced with
the initial revision of TYPO3 and isn't needed at all nowadays,
it's actually wrong, as a REQUEST_URI like /index.php/foo/bar
would incorrectly be interpreted as $scriptName == "/foo/bar",
which let's all calculations on $scriptName fail and
even leads to XSS where values derived from $scriptName are
printed without being escaped.
Also any ORIG_SCRIPT_NAME evaluation is dropped, as this variable
contains the SCRIPT_NAME that was set by the webserver configuration
before PHP applied cgi.fix_pathinfo. Using ORIG_SCRIPT_NAME
effectively meant bypassing PHP's pathinfo fix. It usually contains
the cgi-wrapper paths, which is why PATH_INFO was used to overrule
wrong ORIG_SCRIPT_NAME values.
GeneralUtility::getIndpEnv('PATH_INFO') is adapted to trust the
servers PATH_INFO information, now that we no longer allow
servers to send SCRIPT_NAME as PATH_INFO (we enforce
cgi.fix_pathinfo=1 for CGI installations).
The normalized SCRIPT_NAME is now adapted to be encoded as a URL
path by default, as all TYPO3 usages expect this to be an URL path.
Note that $_SERVER['SCRIPT_NAME'] refers to the servers file
system path, not the URL encoded value.
This SCRIPT_NAME sanitization actually enables:
a) TYPO3 to be run in a subfolder that contains characters
that need URL encoding
e.g. `/test:site/` – url encoded that'd be `/test3Asite/`.
b) prevention of XSS in case third party extensions
missed to escape any URL that is derived from SCRIPT_NAME
(while making sure that properly escaped
output is not double escaped)
Resolves: #99651
Related: #88304
Related: #89312
Releases: main, 11.5, 10.4
Change-Id: Ief95253d764665db5182a15ce8ffd02ea02ee61e
Security-Bulletin: TYPO3-CORE-SA-2023-001
Security-References: CVE-2023-24814
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/77737
Reviewed-by: 
Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Showing
- typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php 5 additions, 11 deletionstypo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
- typo3/sysext/core/Classes/Http/NormalizedParams.php 12 additions, 16 deletionstypo3/sysext/core/Classes/Http/NormalizedParams.php
- typo3/sysext/core/Classes/Utility/GeneralUtility.php 12 additions, 16 deletionstypo3/sysext/core/Classes/Utility/GeneralUtility.php
- typo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php 18 additions, 67 deletionstypo3/sysext/core/Tests/Unit/Http/NormalizedParamsTest.php
- typo3/sysext/core/Tests/Unit/Log/Processor/WebProcessorTest.php 1 addition, 2 deletions...sysext/core/Tests/Unit/Log/Processor/WebProcessorTest.php
- typo3/sysext/core/Tests/Unit/Resource/ResourceCompressorTest.php 1 addition, 1 deletion...ysext/core/Tests/Unit/Resource/ResourceCompressorTest.php
- typo3/sysext/extbase/Tests/Unit/Mvc/Web/Routing/UriBuilderTest.php 0 additions, 2 deletions...ext/extbase/Tests/Unit/Mvc/Web/Routing/UriBuilderTest.php
- typo3/sysext/felogin/Tests/Unit/Validation/RedirectUrlValidatorTest.php 1 addition, 1 deletion...elogin/Tests/Unit/Validation/RedirectUrlValidatorTest.php
- typo3/sysext/fluid/Tests/Unit/Core/Widget/WidgetRequestBuilderTest.php 9 additions, 9 deletions...fluid/Tests/Unit/Core/Widget/WidgetRequestBuilderTest.php
- typo3/sysext/frontend/Classes/Controller/TypoScriptFrontendController.php 7 additions, 6 deletions...ntend/Classes/Controller/TypoScriptFrontendController.php
Please register or sign in to comment