Bug #80327

"L" parameter not excluded in TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation

Added by DMK E-BUSINESS GmbH about 3 years ago. Updated about 1 year ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-03-17
Due date:
% Done:

0%

TYPO3 Version:
6.2
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Let's say someone calls a page with a bad "L" parameter like index.php?id=1&L=bad-value. With the TypoScript config.linkVars = L(0-2) this value is not valid and get's not added to links created on that page. Except there is a typolink with addQueryString set and not addQueryString.exclude = L

When config.prefixLocalAnchors = all is set the method TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation is called. In this method there is no way to add the "L" parameter to the excluded parameters (addQueryString.exclude) if it has a invalid value. This is because the "L" parameter is invalid due to config.linkVars = L(0-2). Therefore $GLOBALS['TSFE']->linkVars is empty which leads to not having the "L" parameter excluded although it has to. So when the current URL get's a bad "L" parameter added, a link is generated with a bad "L" parameter.

This might open security holes and can lead to conflicts with extensions like realurl.

Additionally I wonder if it's necessary to not exclude the L parameter for every addQueryString after all. Users should have configured config.linkVars correctly for multi language sites. With that TYPO3 takes care of adding the "L" parameter itself when valid.

History

#1 Updated by Benni Mack over 1 year ago

  • Status changed from New to Needs Feedback

Hey,

this issue should be fixed with 9 LTS and site handling. Please let us know if the new version will solve your issue, otherwise we'll close this ticket in the next weeks.

Benni.

#2 Updated by Riccardo De Contardi about 1 year ago

  • Status changed from Needs Feedback to Closed

No feedback since 90+ days => closing this issue.

If you think that this is the wrong decision or experience the issue again and have more information about how to reproduce your problem on recent TYPO3 versions like 9.5.x or the latest Master, please reopen it or open a new issue with a reference to this one.

Thank you and best regards

Also available in: Atom PDF