Index: typo3/sysext/cms/tslib/class.tslib_content.php =================================================================== --- typo3/sysext/cms/tslib/class.tslib_content.php (Revision 8439) +++ typo3/sysext/cms/tslib/class.tslib_content.php (Arbeitskopie) @@ -3981,6 +3981,7 @@ function locDataJU($jumpUrl,$conf) { $fI = pathinfo($jumpUrl); $mimetype=''; + $mimetypeValue = ''; if ($fI['extension']) { $mimeTypes = t3lib_div::trimExplode(',',$conf['mimeTypes'],1); reset($mimeTypes); @@ -3996,12 +3997,9 @@ $locationData = $GLOBALS['TSFE']->id.':'.$this->currentRecord; $rec='&locationData='.rawurlencode($locationData); $hArr = array( - $jumpUrl, - $locationData, - $mimetypeValue, - $GLOBALS['TSFE']->TYPO3_CONF_VARS['SYS']['encryptionKey'] + $jumpUrl, $locationData, $mimetypeValue ); - $juHash='&juHash='.t3lib_div::shortMD5(serialize($hArr)); + $juHash = '&juHash=' . t3lib_div::hmac(serialize($hArr)); return '&juSecure=1'.$mimetype.$rec.$juHash; } Index: typo3/sysext/cms/tslib/class.tslib_fe.php =================================================================== --- typo3/sysext/cms/tslib/class.tslib_fe.php (Revision 8439) +++ typo3/sysext/cms/tslib/class.tslib_fe.php (Arbeitskopie) @@ -2520,31 +2520,31 @@ function jumpUrl() { if ($this->jumpurl) { if (t3lib_div::_GP('juSecure')) { - $locationData = t3lib_div::_GP('locationData'); - $mimeType = t3lib_div::_GP('mimeType'); + $locationData = (string)t3lib_div::_GP('locationData'); + $mimeType = (string)t3lib_div::_GP('mimeType'); // Need a type cast here because mimeType is optional! $hArr = array( $this->jumpurl, - t3lib_div::_GP('locationData'), - t3lib_div::_GP('mimeType'), - $this->TYPO3_CONF_VARS['SYS']['encryptionKey'] + $locationData, + $mimeType ); - $calcJuHash=t3lib_div::shortMD5(serialize($hArr)); - $juHash = t3lib_div::_GP('juHash'); - if ($juHash == $calcJuHash) { + $calcJuHash = t3lib_div::hmac(serialize($hArr)); + $juHash = (string)t3lib_div::_GP('juHash'); + if ($juHash === $calcJuHash) { if ($this->locDataCheck($locationData)) { $this->jumpurl = rawurldecode($this->jumpurl); // 211002 - goes with cObj->filelink() rawurlencode() of filenames so spaces can be allowed. // Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern) - if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') { - if (@is_file($this->jumpurl)) { + $absoluteFileName = t3lib_div::getFileAbsFileName(t3lib_div::resolveBackPath($this->jumpurl), FALSE); + if (t3lib_div::isAllowedAbsPath($absoluteFileName) && t3lib_div::verifyFilenameAgainstDenyPattern($absoluteFileName) && !t3lib_div::isFirstPartOfStr($absoluteFileName, PATH_site . 'typo3conf')) { + if (@is_file($absoluteFileName)) { $mimeType = $mimeType ? $mimeType : 'application/octet-stream'; header('Cache-Control: must-revalidate, post-check=0, pre-check=0'); header('Content-Type: '.$mimeType); - header('Content-Disposition: attachment; filename='.basename($this->jumpurl)); - readfile($this->jumpurl); + header('Content-Disposition: attachment; filename="'.basename($absoluteFileName) . '"'); + readfile($absoluteFileName); exit; } else die('jumpurl Secure: "'.$this->jumpurl.'" was not a valid file!'); - } else die('jumpurl Secure: The requested file type was not allowed to be accessed through jumpUrl (fileDenyPattern)!'); + } else die('jumpurl Secure: The requested file was not allowed to be accessed through jumpUrl (path or file not allowed)!'); } else die('jumpurl Secure: locationData, '.$locationData.', was not accessible.'); } else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.'); } else {