Bug #16140
closed
Losing connection, because of wrong URL
0%
Description
Hi,
I'm not sure if this problem comes directly from DAM or T3 Core, but I get it only with DAM.
When I want to access to any of the DAM submodules (File, List, …) I get a "Connection Interrupted - The document contains no data." error message, in any browsers (Firefox, Camino, Safari, …)
Everything else in my T3 install is working, I've tested it on many installations, before and after upgrading from 3.8.1 to 4.0.
I only get it if I access to a T3 install on a server in a specific netwok, from outside, or from a computer in that network to a server outside of it, so maybe it is triggered by some strange firewall rule, or something.
Some thing makes me think that it may be triggered in my case, but there is a real problem underneath.
I've extracted the URL asked by TYPO3 :
http://my.website.com/typo3/alt_mod_frameset.php?fW=0&nav=/typo3/..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F%26folderOnly%3D1&script=..%2Ftypo3conf%2Fext%2Fdam%2Fmod_file%2Findex.php&id=
If i analyse and decode that URL I can see that there are 4 parts (fw, nav, script, id) and something is wrong with the "nav" part :
encoded : nav=/typo3/..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F%26folderOnly%3D1
decoded : nav=/typo3/../typo3conf/ext/dam/mod_main/tx_dam_navframe.php?&folderOnly=1
I can see that there is a "/typo3/" that is not encoded.
If I remove that "/typo3/" and keep the 2 starting points, it is working well
Stil, I don't know if the problems commes from the Core or DAM, but it is real and the workaround is quite clear ! Though I don't know how to apply it and it might not be good to keep it private in my own install.
Ask me If you want some additional informations.
(issue imported from #M3464)
Files
Updated by J©rémy Lecour over 18 years ago
The problem has been resolved on the Frewall side because it didn't accept any URL with some ../
So it's no longer a problem for me, but it may be still one for some other people with very strict firewall rules and if it's not a requirement in DAM it could be corrected to be more firewall friendly ;-)
Updated by Andreas Wolf over 18 years ago
I don't know, but perhaps it could help to use some function like realpath on the path before building the url? This would remove the typo3/../, but the problem with realpath is that it also resolves symlinks and checks if the file exists, which is not the case here.
In the online PHP-manual somebody gave a function that could be used for that:
function cleanPath($path) {
$result = array();
// $pathA = preg_split('/[\/\\\]/', $path);
$pathA = explode('/', $path);
if (!$pathA0)
$result[] = '';
foreach ($pathA AS $key => $dir) {
if ($dir '..') {
if (end($result) '..') {
$result[] = '..';
} elseif (!array_pop($result)) {
$result[] = '..';
}
} elseif ($dir && $dir != '.') {
$result[] = $dir;
}
}
if (!end($pathA))
$result[] = '';
return implode('/', $result);
}
(taken from http://de3.php.net/realpath)
Updated by René Fritz about 18 years ago
nav=/typo3/../typo3conf/ext/
This is nothing special to DAM and is generated by the core (more precise JS code).
Using ../ in paths isn't very uncommon and really not a bug. Also I see no solution for that.
Updated by Franz Holzinger about 18 years ago
This comes from Top JavaScript:
/**
* Function used to switch switch module.
*/
var currentModuleLoaded = "";
function goToModule(modName,cMR_flag,addGetVars) { //
...
case 'txdamM1_list':
if (top.content.list_frame && top.fsMod.currentMainLoaded=="txdamM1") {
top.currentSubScript="../typo3conf/ext/dam/mod_list/index.php";
top.content.list_frame.location=top.getModuleUrl(top.TS.PATH_typo3+"../typo3conf/ext/dam/mod_list/index.php?"+'&id='+top.rawurlencode(top.fsMod.recentIds['txdamM1'])+additionalGetVariables);
if(top.currentSubNavScript!="../typo3conf/ext/dam/mod_main/tx_dam_navframe.php?") {
top.currentSubNavScript="../typo3conf/ext/dam/mod_main/tx_dam_navframe.php?";
top.content.nav_frame.location=top.getModuleUrl(top.TS.PATH_typo3+"../typo3conf/ext/dam/mod_main/tx_dam_navframe.php?");
}
} else {
top.content.location=top.TS.PATH_typo3+(
top.nextLoadModuleUrl?
"alt_mod_frameset.php?fW="+top.TS.navFrameWidth+"&nav="+top.TS.PATH_typo3+"..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Fdam%2Fmod_list%2Findex.php&exScript=listframe_loader.php":
"alt_mod_frameset.php?fW="+top.TS.navFrameWidth+"&nav="+top.TS.PATH_typo3+"..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Fdam%2Fmod_list%2Findex.php"+'&id='+top.rawurlencode(top.fsMod.recentIds['txdamM1'])+additionalGetVariables
);
top.fsMod.currentMainLoaded="txdamM1";
top.currentSubScript="../typo3conf/ext/dam/mod_list/index.php";
}
top.highlightModuleMenuItem("ID_264865927");
break;
----------------------
So probably the top.TS.PATH_typo3 corresponds to 'typo3/' and has not been URL encoded.
And I think it is clear that we would have had it here as a this.PATH_typo3_enc :
------------------------------------------------------------------
/**
* TypoSetup object.
*/
function typoSetup() { //
this.PATH_typo3 = "/typo3/typo3/";
this.PATH_typo3_enc = "%2Ftypo3%2Ftypo3%2F";
this.username = "franz";
this.uniqueID = "2c3d2b7ee2";
this.navFrameWidth = 0;
}
var TS = new typoSetup();
Updated by Franz Holzinger about 18 years ago
The attached patch will change this to:
What do you think? How to test it?
-----------
top.content.location=top.TS.PATH_typo3+(
top.nextLoadModuleUrl?
"alt_mod_frameset.php?fW="+top.TS.navFrameWidth+"&nav="+top.TS.PATH_typo3_enc+"..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Fdam%2Fmod_list%2Findex.php&exScript=listframe_loader.php":
"alt_mod_frameset.php?fW="+top.TS.navFrameWidth+"&nav="+top.TS.PATH_typo3_enc+"..%2Ftypo3conf%2Fext%2Fdam%2Fmod_main%2Ftx_dam_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Fdam%2Fmod_list%2Findex.php"+'&id='+top.rawurlencode(top.fsMod.recentIds['txdamM1'])+additionalGetVariables
);
Updated by Michael Stucki over 16 years ago
Simply use t3lib_div::resolveBackPath() for such URLs!
Updated by Christian Kuhn over 15 years ago
I don't think this is a TYPO3 problem. If some "firewall" doesn't allow ../ in paths, the firewall should be fixed.
Updated by