Commit c11f75ad authored by Carsten  Rose's avatar Carsten Rose
Browse files

#3769 / Allow specific GET variables longer than SECURITY_GET_MAX_LENGTH.

Manual.rst: notes how to setup length-exceptions to SECURITY_GET_MAX_LENGTH
config.php: implemented special handling of GET vars, named with '..._<num>'.
parent a7500926
......@@ -294,7 +294,8 @@ config.qfq.ini
+-----------------------------+-------------------------------------------------+----------------------------------------------------------------------------+
| SECURITY_SHOW_MESSAGE | SECURITY_SHOW_MESSAGE = true | If an attack is detected, show a message |
+-----------------------------+-------------------------------------------------+----------------------------------------------------------------------------+
| SECURITY_GET_MAX_LENGTH | SECURITY_GET_MAX_LENGTH = 32 | Check that there are no GET vars longer than 'x' chars |
| SECURITY_GET_MAX_LENGTH | SECURITY_GET_MAX_LENGTH = 50 | GET vars longer than 'x' chars triggers an `attack-recognized`.
| | | `ExceptionMaxLength`_ |
+-----------------------------+-------------------------------------------------+----------------------------------------------------------------------------+
Example: *typo3conf/config.qfq.ini*
......@@ -354,6 +355,16 @@ E.g. to setup a contact address and reuse the information inside your installati
{{ADMINISTRATIVE_CONTACT:Y}}, {{ADMINISTRATIVE_ADDRESS:Y}}, {{ADMINISTRATIVE_NAME}}
.. _`ExceptionMaxLength`:
Exception for SECURITY_GET_MAX_LENGTH
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If it is necessary to use a GET variable which exceeds SECURITY_GET_MAX_LENGTH limit, name the variable with '_<num>' at
the end. E.g. `my_long_variable_130`. Such a variable has an allowed length of 130 chars. Access such a variable as
usual with the variable name: `{{my_long_variable_130:C:...}}`.
.. _local-documentation:
Local Documentation
......
......@@ -377,6 +377,8 @@ const SYSTEM_SECURITY_ATTACK_DELAY = 'SECURITY_ATTACK_DELAY'; // Detected attack
const SYSTEM_SECURITY_SHOW_MESSAGE = 'SECURITY_SHOW_MESSAGE'; // Detected attack shows an error message
const SYSTEM_SECURITY_GET_MAX_LENGTH = 'SECURITY_GET_MAX_LENGTH'; // Trim every character (before conversion) to SECURITY_GET_MAX_LENGTH chars;
const GET_EXTRA_LENGTH_TOKEN = '_';
// Not stored in config.qfq.ini, but used in STORE_SYSTEM
// Information for: Log / Debug / Exception
const SYSTEM_SQL_RAW = 'sqlRaw'; // Type: SANITIZE_ALL / String. SQL Query (before substitute). Useful for error reporting.
......
......@@ -69,8 +69,15 @@ class Config {
// Limit length of all get vars: protect against SQL injection based on long ...%34%34%24%34...
$maxLength = $config[SYSTEM_SECURITY_GET_MAX_LENGTH];
if ($maxLength > 0) {
foreach ($_GET as $value) {
if (strlen($value) > $maxLength) {
foreach ($_GET as $key => $value) {
// Check if the variable is something like 'my_name_100' - if the part after the last '_' is numerical, this means a valid, non standard length.
$arr = explode(GET_EXTRA_LENGTH_TOKEN, $key);
$cnt = count($arr);
if ($cnt > 1 && is_numeric($arr[$cnt - 1])) {
if (strlen($value) > $arr[$cnt - 1]) {
$attack = true;
}
} elseif (strlen($value) > $maxLength) {
$attack = true;
}
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment