[SECURITY] Fix open redirection in GeneralUtility::sanitizeLocalUrl

bnf · ohader · commit 22c2dd5398eb · 2026-06-09T10:56:46.000+02:00
Resolves: #109694 Releases: main, 14.3, 13.4 Change-Id: I8c8ce23c3d6042e5d1afffa6e35237e6a746fd08 Security-Bulletin: TYPO3-CORE-SA-2026-009 Security-References: CVE-2026-47347 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94402 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -2595,8 +2595,28 @@ public static function sanitizeLocalUrl(string $url): string
     {
         $sanitizedUrl = '';
         if (!empty($url)) {
-            if (strpbrk($url, "\n\r\x00") !== false) {
-                static::getLogger()->notice('URL "{url}" contains unexpected whitespace and was denied as local url.', ['url' => $url]);
+            $validUrlCharacters = [
+                // Percent-Encoding: https://datatracker.ietf.org/doc/html/rfc3986#section-2.1
+                '%',
+
+                // Reserved Characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.2
+                // gen-delims
+                ':', '/', '?', '#', '[', ']', '@',
+                // sub-delims
+                '!', '$', '&', '\'', '(', ')', '*', '+', ',', ';', '=',
+
+                // Unreserved Characters: https://datatracker.ietf.org/doc/html/rfc3986#section-2.3
+                '-', '.', '_', '~',
+                // ALPHA
+                'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', 'u', 'v', 'w', 'x', 'y', 'z',
+                'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', 'W', 'X', 'Y', 'Z',
+                // DIGIT
+                '0', '1', '2', '3', '4', '5', '6', '7', '8', '9',
+            ];
+
+            $hasInvalidCharacters = str_replace($validUrlCharacters, '', $url) !== '';
+            if ($hasInvalidCharacters) {
+                static::getLogger()->notice('The URL "{url}" contains unexpected characters and was denied as local url.', ['url' => $url]);
                 return '';
             }
 
diff --git a/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php b/typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
@@ -1384,18 +1384,28 @@ public static function sanitizeLocalUrlValidUrlsDataProvider(): array
                 'localhost',
                 '/cms/',
             ],
-            '/cms/typo3/alt_intro.php&param=oneparam' => [
-                '/cms/typo3/alt_intro.php&param=oneparam',
+            '/cms/foo/%3Fbar?baz' => [
+                '/cms/foo/%3Fbar?baz',
                 'localhost',
                 '/cms/',
             ],
-            '/cms/typo3/alt_intro.php&param=oneparam with spaces' => [
-                '/cms/typo3/alt_intro.php&param=oneparam with spaces',
+            '/cms/typo3/alt_intro.php?param=oneparam' => [
+                '/cms/typo3/alt_intro.php?param=oneparam',
                 'localhost',
                 '/cms/',
             ],
-            '/cms/typo3/alt_intro.php&param=oneparam with spaces&normalparam=2' => [
-                '/cms/typo3/alt_intro.php&param=oneparam with spaces',
+            '/cms/typo3/alt_intro.php?param=oneparam+with+spaces' => [
+                '/cms/typo3/alt_intro.php?param=oneparam+with+spaces',
+                'localhost',
+                '/cms/',
+            ],
+            '/cms/typo3/alt_intro.php?param=oneparam%20with%20spaces' => [
+                '/cms/typo3/alt_intro.php?param=oneparam%20with%20spaces',
+                'localhost',
+                '/cms/',
+            ],
+            '/cms/typo3/alt_intro.php?param=oneparam%20with%20spaces&normalparam=2' => [
+                '/cms/typo3/alt_intro.php?param=oneparam%20with%20spaces',
                 'localhost',
                 '/cms/',
             ],
@@ -1453,7 +1463,28 @@ public static function sanitizeLocalUrlInvalidDataProvider(): array
             'empty string' => [''],
             'http domain' => ['http://www.google.de/'],
             'https domain' => ['https://www.google.de/'],
+            'https domain with' => ['https://www.google.de/'],
+            'https domain with escape at start' => ['https:\\//www.google.de'],
+            'https domain with escape in between' => ['https:/\\/www.google.de'],
+            'https domain with escape after' => ['https://\\www.google.de'],
+            'https domain with escape instead of slash' => ['https:/\\www.google.de'],
+            'https domain with double backslash' => ['https:\\\\www.google.de'],
+            'https domain with double backslash and one slash' => ['https:\\/www.google.de'],
+            'https domain with quad slash' => ['https:////www.google.de'],
+            'https domain with newline' => ["htt\nps://www.google.de"],
             'domain without schema' => ['//www.google.de/'],
+            'domain without schema escape at start' => ['\\//www.google.de', true],
+            'domain without schema escape in between' => ['/\\/www.google.de', true],
+            'domain without schema escape after' => ['//\\www.google.de', true],
+            'domain without schema escape instead of slash' => ['/\\www.google.de', true],
+            'domain without schema with double backslash' => ['\\\\www.google.de', true],
+            'domain without schema with double backslash and one slash' => ['\\/www.google.de', true],
+            'domain without schema with quad slash' => ['////www.google.de'],
+            'domain without schema with newline' => ["/\n/www.google.de", true],
+            'domain without schema with EOT' => ["\x04//google.de", true],
+            'domain without schema with bell' => ["\x07//google.de", true],
+            'domain without schema with backspace' => ["\x08//google.de", true],
+            'domain without schema with form feed' => ["\x0c//google.de", true],
             'XSS attempt' => ['" onmouseover="alert(123)"'],
             'invalid URL, UNC path' => ['\\\\foo\\bar\\'],
             'invalid URL, HTML break out attempt' => ['" >blabuubb'],
@@ -1463,6 +1494,7 @@ public static function sanitizeLocalUrlInvalidDataProvider(): array
             'relative URL with location header injection attempt (not known to work) via vertical white space' => ["\v" . '//evil.site/'],
             'HTTP header smuggling attempt' => ["/\r\nX-Injected: evil", true],
             'null-byte break out attempt' => ["http\x00://www.google.de"],
+            'path invalid because it contains unencoded spaces' => ['/cms/typo3/alt_intro.php&param=oneparam with spaces', true],
         ];
     }
 
