Bug #33197
closed
t3lib_div returns wrong value for TYPO3_SITE_SCRIPT if the request URL contains percent-encoded characters
0%
Description
I have a site hosted under www.example.com/~user/ and I am using RealURL. Accessing www.example.com/~user/ from a browser works fine, but I found that it does not work when I click on the link www.example.com/~user/ in a PDF file opened in Adobe Reader. The reason is that Adobe Reader will actually open the link www.example.com/%7Euser/ where ~ is encoded as %7E. As a result, t3lib_div will return a wrong value for t3lib_div::getIndpEnv('TYPO3_SITE_SCRIPT');, which ultimately passes a wrong value of siteScript to RealURL, breaking everything.
The problem is, that it is assumed that the TYPO3_SITE_URL has the same number of characters as the site URL specified in TYPO3_REQUEST_URL. But this not true if the original request URL contains percent-encoded characters. My quick and dirty fix is to do
$request_url = str_replace(array("%7e", "%7E"), "~", t3lib_div::getIndpEnv('TYPO3_REQUEST_URL'));
$retVal = substr($request_url,strlen(t3lib_div::getIndpEnv('TYPO3_SITE_URL')));
instead of
$retVal = substr(self::getIndpEnv('TYPO3_REQUEST_URL'), strlen(self::getIndpEnv('TYPO3_SITE_URL')));
in the file class.t3lib_div.php.
Obviously, this is not a general solution of the problem. I think the best solution would be to automatically decode all percent-encoded characters in the request URL at an early stage. I am not familiar enough with Typo3 to be able to suggest a specific fix or where it should be implemented.
Updated by Markus Klein over 12 years ago
Debug values of getIndpEnv with call http://dev/%7Et3test/:
REQUEST_URI: /%7Et3test/ HTTP_REFERER: TYPO3_REQUEST_HOST: http://dev TYPO3_REQUEST_URL: http://dev/%7Et3test/ TYPO3_REQUEST_SCRIPT: http://dev/~t3test/index.php TYPO3_REQUEST_DIR: http://dev/~t3test/ TYPO3_SITE_URL: http://dev/~t3test/ TYPO3_SITE_SCRIPT: t/ TYPO3_SSL: TYPO3_REV_PROXY: SCRIPT_NAME: /~t3test/index.php TYPO3_DOCUMENT_ROOT: /var/www/html SCRIPT_FILENAME: /var/www/html/~t3test/index.php
With call http://dev/~t3test/
REQUEST_URI: /~t3test/ HTTP_REFERER: TYPO3_REQUEST_HOST: http://dev TYPO3_REQUEST_URL: http://dev/~t3test/ TYPO3_REQUEST_SCRIPT: http://dev/~t3test/index.php TYPO3_REQUEST_DIR: http://dev/~t3test/ TYPO3_SITE_URL: http://dev/~t3test/ TYPO3_SITE_SCRIPT: TYPO3_SSL: TYPO3_REV_PROXY: SCRIPT_NAME: /~t3test/index.php TYPO3_DOCUMENT_ROOT: /var/www/html SCRIPT_FILENAME: /var/www/html/~t3test/index.php
Updated by Gerrit Code Review over 12 years ago
- Status changed from New to Under Review
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Gerrit Code Review about 12 years ago
Patch set 3 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Gerrit Code Review about 12 years ago
Patch set 4 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Gerrit Code Review about 12 years ago
Patch set 5 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Gerrit Code Review about 12 years ago
Patch set 6 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Gerrit Code Review about 12 years ago
Patch set 7 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/7827
Updated by Alexander Opitz almost 11 years ago
- Status changed from Under Review to New
Patch was Abandoned so a new patch is needed.
Updated by Mathias Schreiber over 9 years ago
- Status changed from New to Needs Feedback
- Assignee set to Helmut Hummel
- Is Regression set to No
hey Helmut, thoughts on this one?
Updated by Helmut Hummel over 9 years ago
- Assignee deleted (
Helmut Hummel)
Mathias Schreiber wrote:
hey Helmut, thoughts on this one?
getIndpEnv is broken on many levels and should be removed in favor of a proper environment class
The issue described here has its reasons in the multiple nested string operations done in getIndpEnv where strings are compared and replaced which have nothing to do with each other (local file path vs. given request URL).
The patch attached to this bug report tried to fix this by generally "normalizing" the request URL with rawurldecode, which is absolutely wrong, breaking and potentially even harmful security wise.
I'm not saying it is impossible to fix this edge case, but it will be pretty hard to do so. And it most likely will be fixed by throwing away getIndpEnv in favor of a environment object.
Updated by Alexander Opitz almost 9 years ago
- Status changed from Needs Feedback to New
- Target version set to 8 LTS
Sounds more like an architectural issue so putting into 8.
Updated by Benni Mack about 7 years ago
- Target version changed from 8 LTS to Candidate for Major Version
Updated by Susanne Moog about 4 years ago
- Status changed from New to Rejected
As this is a very specific edge case and in the meantime we have implemented an Environment class as well as a completely new routing mechanism, I'm going to close this issue now.