TYPO3 Core

Can you please provide, how this is called, e.g.
http://my-domain.com/typo3/alt_mod_frameset.php?fW=0&nav=/typo3/alt_db_navframe.php%3F&script=...&id=...

In general this should be fixed for TYPO3 4.3-beta3, however you still report this issue for that version.

<iframe id="content" scrolling="auto" frameborder="0" marginheight="0" marginwidth="0" name="content" src="/typo3/alt_mod_frameset.php?fW=0&nav=/typo3/alt_db_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php&id=" style="height: 541px;">

It seems, that somes clicking fast twice gets the tree back.

<iframe id="content" scrolling="auto" frameborder="0" marginheight="0" marginwidth="0" name="content" src="/typo3/alt_mod_frameset.php?fW=0&nav=/typo3/alt_db_navframe.php%3F&script=..%2Ftypo3conf%2Fext%2Ftemplavoila%2Fmod1%2Findex.php&id=" style="height: 541px;">

no difference to see if it is working :(

Nov 13 15:51:16 wwwtest http://wwwtest.xxxxxxxx/: - Core: The URL "../typo3conf/ext/templavoila/mod1/index.php" is not considered to be local and was denied.
Nov 13 15:51:16 wwwtest http://wwwtest.xxxxxxxx/: - Core: The URL "/typo3/alt_db_navframe.php?" is not considered to be local and was denied.

From the logfiles.

the output after clicking the page module from:

self::debug($url );
                        self::debug($testAbsoluteUrl);
                        self::debug($testRelativeUrl);

in sanitizeLocalURL:

Hm, that's strange...
What is the base path to your TYPO3 backend (e.g. http://mydomain.com/subDirectory/typo3/backend.php)?

Oh, and could you please also debug self::getIndpEnv('TYPO3_SITE_PATH')? Thanks

the basepath is: http://wwwtest.xxxxx.xxxx/typo3

I will debug TYPO3_SITE_PATH later today,

t3lib_div::debug(t3lib_div::getIndpEnv('TYPO3_SITE_PATH'));
in the main function of alt_mod_frameset.php gives :
/

which seems correct.

The same result is obtained if debugging in class.t3lib_div.php::sanitizeLocalURL

That looks all correct. What puzzles me is the fact that it happens only sometimes as you write in your initial bug description. If you can manage to have it reproducible I'd like to investigate further.

Further debugging gave a result:
For all wrong calls self::isValidUrl($decodedUrl) returned true, which skipped all if's. I think the if-cascade is wrong, the first if should surround the if/ifelse block, and not be a part of it. See below.

public static function sanitizeLocalUrl($url = '') {
        $sanitizedUrl = '';
        $decodedUrl = rawurldecode($url);

if (!empty($url) && self::removeXSS($decodedUrl) === $decodedUrl) {
            $testAbsoluteUrl = self::resolveBackPath($decodedUrl);
            $testRelativeUrl = self::resolveBackPath(
                t3lib_div::dirname(t3lib_div::getIndpEnv('SCRIPT_NAME')) . '/' . $decodedUrl
            );
                      // Pass if URL is on the current host:
            if (self::isValidUrl($decodedUrl)) {
                self::sysLog('isValidUrl','Core', self::SYSLOG_SEVERITY_NOTICE); 
                if (self::isOnCurrentHost($decodedUrl) && strpos($decodedUrl, self::getIndpEnv('TYPO3_SITE_URL')) === 0) {
                    $sanitizedUrl = $url;

// Pass if URL is an absolute file path:
                } elseif (self::isAbsPath($decodedUrl) && self::isAllowedAbsPath($decodedUrl)) {
                    $sanitizedUrl = $url;
                // Pass if URL is absolute and below TYPO3 base directory:
                } elseif (strpos($testAbsoluteUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) === '/') {
                    $sanitizedUrl = $url;
                // Pass if URL is relative and below TYPO3 base directory:
                } elseif (strpos($testRelativeUrl, self::getIndpEnv('TYPO3_SITE_PATH')) === 0 && substr($decodedUrl, 0, 1) !== '/') {
                    $sanitizedUrl = $url;
                }
            }
        }

if (!empty($url) && empty($sanitizedUrl)) {
            self::sysLog('The URL "' . $url . '" is not considered to be local and was denied.', 'Core', self::SYSLOG_SEVERITY_NOTICE);
        }

return $sanitizedUrl;
    }

With RC1, it always happens e.g. when switching from filelist to page-modul or vice versa.

Whicht PHP version do you use exactly?

PHP Version
5.2.6
Web Server
Apache/2.2.9 (FreeBSD) mod_ssl/2.2.9 OpenSSL/0.9.8e DAV/2 PHP/5.2.6 with Suhosin-Patch

Do you have DAM installed?
Standby some minutes, I'm going to create a patch for the isValidUrl() thingy...

Yes DAM is installed.

• http://www.google.de/ -> shoud return true
• /typo3/whatever/script.php -> shoud return false

To work around now it's checked whether an URL starts with an URL scheme

Yes, that patch solves the problem.

Ok - I'm going to post it on the Core List then

• TYPO3_4-2 (rev. 6517)
• Trunk (rev. 6518)

http://bugs.php.net/bug.php?id=49403

Björn, could you please test the 0012581_followup.patch file?
It add an additional flag to the filter_var() function call that seems not to be used on some PHP5.2 version (e.g. yours). Thanks in advance!

Just tested, it is still working correctly with the followup-patch.

• TYPO3_4-2 (rev. 6529)
• Trunk (rev. 6530)