Securityfix for typo3-src in testing
Hi there !
There has been found a security vulnerability in typo3 4.0.2 currently located
in testing. You can find further information here:
http://typo3.org/teams/security/security-bulletins/typo3-20070221-1/
A bug has been filed against the packages: #412019.
I fixed that hole and made new packages (see debdiff in attachment).
Where should i ask my sponsor Daniel Baumann to upload the fixed packages to?
Please set CC to me, because im not subscribed to this list.
--
MfG, Christian Welzel
GPG-Key: http://www.camlann.de/key.asc
Fingerprint: 4F50 19BF 3346 36A6 CFA9 DBDC C268 6D24 70A1 AD15
diff -u typo3-src-4.0.2+debian/debian/changelog typo3-src-4.0.2+debian/debian/changelog
--- typo3-src-4.0.2+debian/debian/changelog
+++ typo3-src-4.0.2+debian/debian/changelog
@@ -1,3 +1,10 @@
+typo3-src (4.0.2+debian-3) testing; urgency=medium
+
+ * Fixed security problem "TYPO3 Security Bulletin 20070221-1: Email header
+ injection" with patch taken from 4.0.5. (Closes: 412019)
+
+ -- Christian Welzel <gawain@camlann.de> Thu, 22 Feb 2007 22:30:00 +0100
+
typo3-src (4.0.2+debian-2) testing; urgency=high
* Fixed security problem in rtehtmlarea extension with patch from typo3-src
diff -u typo3-src-4.0.2+debian/debian/patches/00list typo3-src-4.0.2+debian/debian/patches/00list
--- typo3-src-4.0.2+debian/debian/patches/00list
+++ typo3-src-4.0.2+debian/debian/patches/00list
@@ -1,0 +2 @@
+02-SecBull-20070221-1
only in patch2:
unchanged:
--- typo3-src-4.0.2+debian.orig/debian/patches/02-SecBull-20070221-1.dpatch
+++ typo3-src-4.0.2+debian/debian/patches/02-SecBull-20070221-1.dpatch
@@ -0,0 +1,84 @@
+#!/bin/sh /usr/share/dpatch/dpatch-run
+## 02-SecBull-20070221-1.dpatch by Christian Welzel <gawain@camlann.de>
+##
+## DP: fix for TYPO3 Security Bulletin 20070221-1: Email header injection
+
+@DPATCH@
+
+diff -Naur typo3_src-4.0.2_old/t3lib/class.t3lib_formmail.php typo3_src-4.0.2/t3lib/class.t3lib_formmail.php
+--- typo3_src-4.0.2_old/t3lib/class.t3lib_formmail.php 2006/07/17 16:38:30 1646
++++ typo3_src-4.0.2/t3lib/class.t3lib_formmail.php 2007/02/21 04:39:40 2144
+@@ -68,6 +68,7 @@
+ */
+ class t3lib_formmail extends t3lib_htmlmail {
+ var $reserved_names = 'recipient,recipient_copy,auto_respond_msg,redirect,subject,attachment,from_email,from_name,replyto_email,replyto_name,organisation,priority,html_enabled,quoted_printable,submit_x,submit_y';
++ var $dirtyHeaders = array(); // collection of suspicious header data, used for logging
+
+
+ /**
+@@ -113,19 +114,28 @@
+ // convert form data from renderCharset to mail charset
+ $val = ($V['subject']) ? $V['subject'] : 'Formmail on '.t3lib_div::getIndpEnv('HTTP_HOST');
+ $this->subject = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
++ $this->subject = $this->sanitizeHeaderString($this->subject);
+ $val = ($V['from_name']) ? $V['from_name'] : (($V['name'])?$V['name']:'');
+ $this->from_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
++ $this->from_name = $this->sanitizeHeaderString($this->from_name);
++ $this->from_name = preg_match( '/\s|,/', $this->from_name ) >= 1 ? '"'.$this->from_name.'"' : $this->from_name;
+ $val = ($V['replyto_name']) ? $V['replyto_name'] : $this->from_name;
+ $this->replyto_name = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
++ $this->replyto_name = $this->sanitizeHeaderString($this->replyto_name);
++ $this->replyto_name = preg_match( '/\s|,/', $this->replyto_name ) > 1 ? '"'.$this->replyto_name.'"' : $this->replyto_name;
+ $val = ($V['organisation']) ? $V['organisation'] : '';
+ $this->organisation = ($convCharset && strlen($val)) ? $GLOBALS['TSFE']->csConvObj->conv($val,$GLOBALS['TSFE']->renderCharset,$this->charset) : $val;
++ $this->organisation = $this->sanitizeHeaderString($this->organisation);
+
+ $this->from_email = ($V['from_email']) ? $V['from_email'] : (($V['email'])?$V['email']:'');
++ $this->from_email = t3lib_div::validEmail($this->from_email) ? $this->from_email : '';
+ $this->replyto_email = ($V['replyto_email']) ? $V['replyto_email'] : $this->from_email;
++ $this->replyto_email = t3lib_div::validEmail($this->replyto_email) ? $this->replyto_email : '';
+ $this->priority = ($V['priority']) ? t3lib_div::intInRange($V['priority'],1,5) : 3;
+
+ // Auto responder.
+ $this->auto_respond_msg = (trim($V['auto_respond_msg']) && $this->from_email) ? trim($V['auto_respond_msg']) : '';
++ $this->auto_respond_msg = $this->sanitizeHeaderString($this->auto_respond_msg);
+
+ $Plain_content = '';
+ $HTML_content = '<table border="0" cellpadding="2" cellspacing="2">';
+@@ -173,6 +183,13 @@
+ if ($V['recipient_copy']) {
+ $this->recipient_copy = trim($V['recipient_copy']);
+ }
++ // log dirty header lines
++ if ($this->dirtyHeaders) {
++ t3lib_div::sysLog( 'Possible misuse of t3lib_formmail: see TYPO3 devLog', 'Core', 3 );
++ if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['enable_DLOG']) {
++ t3lib_div::devLog( 't3lib_formmail: '. t3lib_div::arrayToLogString($this->dirtyHeaders, '', 200 ), 'Core', 3 );
++ }
++ }
+ }
+ }
+
+@@ -201,6 +218,22 @@
+ return true;
+ } else { return false;}
+ }
++
++
++ /**
++ * Checks string for suspicious characters
++ *
++ * @param string String to check
++ * @return string Valid or empty string
++ */
++ function sanitizeHeaderString ($string) {
++ $pattern = '/[\r\n\f\e]/';
++ if (preg_match($pattern, $string) > 0) {
++ $this->dirtyHeaders[] = $string;
++ $string = '';
++ }
++ return $string;
++ }
+ }
+
+
Reply to: