Project

General

Profile

Actions

Bug #80327

closed

"L" parameter not excluded in TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation

Added by DMK E-BUSINESS GmbH over 7 years ago. Updated almost 6 years ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
-
Target version:
-
Start date:
2017-03-17
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
5.5
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Let's say someone calls a page with a bad "L" parameter like index.php?id=1&L=bad-value. With the TypoScript config.linkVars = L(0-2) this value is not valid and get's not added to links created on that page. Except there is a typolink with addQueryString set and not addQueryString.exclude = L

When config.prefixLocalAnchors = all is set the method TYPO3\CMS\Frontend\ContentObject\ContentObjectRenderer::getUrlToCurrentLocation is called. In this method there is no way to add the "L" parameter to the excluded parameters (addQueryString.exclude) if it has a invalid value. This is because the "L" parameter is invalid due to config.linkVars = L(0-2). Therefore $GLOBALS['TSFE']->linkVars is empty which leads to not having the "L" parameter excluded although it has to. So when the current URL get's a bad "L" parameter added, a link is generated with a bad "L" parameter.

This might open security holes and can lead to conflicts with extensions like realurl.

Additionally I wonder if it's necessary to not exclude the L parameter for every addQueryString after all. Users should have configured config.linkVars correctly for multi language sites. With that TYPO3 takes care of adding the "L" parameter itself when valid.

Actions

Also available in: Atom PDF