Task #58850
closed
Redirect URLs containing special chars may lead to garbled headers
0%
Description
Redirect URLs passed to the felogin extension which contain %0d%0a%20 (CRLF SPACE) lead to garbled headers in the response as the URI is not properly url encoded before passing it to the PHP header function.
curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0a%20SomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredir ect%5d=0&user=wwibephd'
---------------------------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------------------------
The CRLF SPACE combination will lead to a cintinuation header on the next line. During header parsing the browser will remove the CRLF WHITESPACE according to the specifications and won't redirect to the proper location.
The URL passed via the redirect_url parameter must be treated by rawurlescape() before being passed to the header function.
Quickes way to fix would be to change the t3lib_utility_Http around line 96.
- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));
Updated by Helmut Hummel almost 10 years ago
- Project changed from TYPO3 Core to 1716
Updated by Helmut Hummel almost 10 years ago
- Project changed from 1716 to TYPO3 Core
http://www.ietf.org/rfc/rfc2616.txt
Section 4.2 of RFC 2616:
"A header may be spread over more than one line if you start the continuation
lines with a whitespace."
So this is no injection possibility but spaning a single header value over multiple lines.
Updated by Helmut Hummel almost 10 years ago
Sven Carstens wrote:
- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));
Regarding this fix: this will not work, as it will encode the complete URL.
Instead redirect URL generation in felogin (including the urldecode there) needs to be fixed.
Updated by Markus Klein about 9 years ago
- Status changed from New to Needs Feedback
Is this still an issue?
Updated by Alexander Opitz almost 9 years ago
- Status changed from Needs Feedback to Closed
No feedback within the last 90 days => closing this issue.
If you think that this is the wrong decision or experience this issue again, then please write to the mailing list typo3.teams.bugs with issue number and an explanation or open a new ticket and add a relation to this ticket number.