0015311_v3.patch - TYPO3 Core - TYPO3 Forge

Bug #23321 » 0015311_v3.patch

Administrator Admin, 2010-08-03 16:14

     	 * @access public
     	 */
     	function sanitizeBackEndUrl($url = '') {
     		$whitelistPattern = '/^[a-zA-Z0-9_\/\.&=\?]+$/';
     		if (!preg_match($whitelistPattern, $url)) {
     		$whitelistPattern = '/^[a-z0-9_\/\.&=\?\+~-]+$/i';
     		$charsetConversion = t3lib_div::makeInstance('t3lib_cs');
     		if (!preg_match($whitelistPattern, $charsetConversion->specCharsToASCII('utf-8', $url))) {
     			$url = '';
+    		}
-...
     		$decodedUrl = rawurldecode($url);
     		$decodedParts = @parse_url($decodedUrl);
     		$whitelistPattern = '/^(\p{Nd}|\p{L}|[_\/\.&=\?\+-~])+$/u';
     		$whitelistPattern = '/^[a-z0-9_\/\.&=\?\+~-]+$/i';
     		$charsetConversion = t3lib_div::makeInstance('t3lib_cs');
     			// Only http and https are allowed as scheme, and at least a path must be given:
     		if (isset($decodedParts['scheme']) && !t3lib_div::inList('http,https', $decodedParts['scheme']) || !isset($decodedParts['path'])) {
     			$url = '';
     			// Check all URL parts for invalid characters:
     		} else {
     			foreach ($decodedParts as $part) {
     				if (!preg_match($whitelistPattern, $part)) {
     			foreach ($decodedParts as $type => $part) {
     				$part = $charsetConversion->specCharsToASCII('utf-8', $part);
     				if ($type != 'host' && !preg_match($whitelistPattern, $part)) {
     					$url = '';
     					break;
+    				}

(3-3/3)