Project

General

Profile

Actions
Copy link

Bug #103190

closed

Unsupported scheme "wss"; must be any empty string or in the set (http, https)

Added by Robert Vock 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
Oliver Hader
Category:
Security
Target version:
-
Start date:
2024-02-23
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The UriValue class can not work with wss schemes. You will get an exception for Unsupported scheme "wss".

Steps to reproduce:
1. Create a Configuration/ContentSecurityPolicies.php file
2. Add a configuration for a WorkerSrc:

return Map::fromEntries([
    Scope::frontend(),
    new MutationCollection(
        new Mutation(
            MutationMode::Append,
            Directive::WorkerSrc,
            new UriValue('wss://www.example.com:8080'),
        ),
    ),
]);

3. Enable CSP checking in frontend
4. Try to load the frontend.

Actions
Copy link
 #1

Updated by Georg Großberger 2 months ago

The hardcoded "http" and "https" values for the scheme of an UriValue object also throws errors in other parts of TYPO3 that use the UriValue class.

eg. if the report handler ("/@http-reporting?csp=report&...") receives a JSON body like this:

{
  "csp-report": {
    "blocked-uri": "https://stats.g.doubleclick.net/j/collect...",
    "column-number": 32,
    "disposition": "enforce",
    "document-uri": "https://www.my.site/slug",
    "effective-directive": "connect-src",
    "line-number": 36,
    "original-policy": "...",
    "referrer": "android-app://com.google.android.googlequicksearchbox/",
    "script-sample": "",
    "source-file": "https://www.google-analytics.com/analytics.js",
    "status-code": 200,
    "violated-directive": "connect-src" 
  }
}

an "InvalidArgumentException" exception is thrown because of the android-app:// prefix in the referer.

Actions
Copy link
 #2

Updated by Oliver Hader 2 months ago

\TYPO3\CMS\Core\Http\Uri (which is the parent class for UriValue) does not support wss: as scheme - see https://github.com/TYPO3/typo3/blob/450e8a005b080b293dde0acc3f1a1ecb0acbe314/typo3/sysext/core/Classes/Http/Uri.php#L53-L56

For android-app://com.google.android.googlequicksearchbox/" it probably would require a new type, since com.google.android.googlequicksearchbox does not semantically refer to a network authority.

Actions
Copy link
 #3

Updated by Gerrit Code Review 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83173

Actions
Copy link
 #4

Updated by Josef Glatz about 2 months ago

Is this something that the core needs to support or do we need to find a solution to prevent these exceptions in logging (log files and/or sentry) in your opinion, @Oliver Hader ?

Actions
Copy link
 #5

Updated by Gerrit Code Review about 2 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83110

Actions
Copy link
 #6

Updated by Oliver Hader about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions
Copy link

Also available in: Atom PDF