Project

General

Profile

Actions

Bug #103190

closed

Unsupported scheme "wss"; must be any empty string or in the set (http, https)

Added by Robert Vock 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Should have
Assignee:
Category:
Security
Target version:
-
Start date:
2024-02-23
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
12
PHP Version:
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The UriValue class can not work with wss schemes. You will get an exception for Unsupported scheme "wss".

Steps to reproduce:
1. Create a Configuration/ContentSecurityPolicies.php file
2. Add a configuration for a WorkerSrc:

return Map::fromEntries([
    Scope::frontend(),
    new MutationCollection(
        new Mutation(
            MutationMode::Append,
            Directive::WorkerSrc,
            new UriValue('wss://www.example.com:8080'),
        ),
    ),
]);

3. Enable CSP checking in frontend
4. Try to load the frontend.

Actions #1

Updated by Georg Großberger about 2 months ago

The hardcoded "http" and "https" values for the scheme of an UriValue object also throws errors in other parts of TYPO3 that use the UriValue class.

eg. if the report handler ("/@http-reporting?csp=report&...") receives a JSON body like this:

{
  "csp-report": {
    "blocked-uri": "https://stats.g.doubleclick.net/j/collect...",
    "column-number": 32,
    "disposition": "enforce",
    "document-uri": "https://www.my.site/slug",
    "effective-directive": "connect-src",
    "line-number": 36,
    "original-policy": "...",
    "referrer": "android-app://com.google.android.googlequicksearchbox/",
    "script-sample": "",
    "source-file": "https://www.google-analytics.com/analytics.js",
    "status-code": 200,
    "violated-directive": "connect-src" 
  }
}

an "InvalidArgumentException" exception is thrown because of the android-app:// prefix in the referer.

Actions #2

Updated by Oliver Hader about 2 months ago

\TYPO3\CMS\Core\Http\Uri (which is the parent class for UriValue) does not support wss: as scheme - see https://github.com/TYPO3/typo3/blob/450e8a005b080b293dde0acc3f1a1ecb0acbe314/typo3/sysext/core/Classes/Http/Uri.php#L53-L56

For android-app://com.google.android.googlequicksearchbox/" it probably would require a new type, since com.google.android.googlequicksearchbox does not semantically refer to a network authority.

Actions #3

Updated by Gerrit Code Review about 2 months ago

  • Status changed from New to Under Review

Patch set 1 for branch main of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83173

Actions #4

Updated by Josef Glatz about 2 months ago

Is this something that the core needs to support or do we need to find a solution to prevent these exceptions in logging (log files and/or sentry) in your opinion, @Oliver Hader ?

Actions #5

Updated by Gerrit Code Review about 2 months ago

Patch set 1 for branch 12.4 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/83110

Actions #6

Updated by Oliver Hader about 2 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF