[SECURITY] Restrict file validation hash generation

FriendsOfTYPO3 · Jul 28, 2020 · cd70557 · cd70557
2 parents a06c3fd + ca7a7fc
commit cd70557
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 3 deletions.
diff --git a/Resources/PHP/ValidateHashEID.php b/Resources/PHP/ValidateHashEID.php
@@ -14,10 +14,15 @@
 
 call_user_func(function() {
     $value = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('value');
-    $addition = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('addition');
     $scope = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('scope');
 
-    $content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, $addition);
+    if (!is_string($value) || empty($value)) {
+        \TYPO3\CMS\Core\Utility\HttpUtility::setResponseCodeAndExit(
+            \TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_400
+        );
+    }
+
+    $content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, 'flashvars');
 
     if ($scope === 'flashvars') {
         header('Content-type: application/x-www-form-urlencoded');

diff --git a/ext_emconf.php b/ext_emconf.php
@@ -9,7 +9,7 @@
     'uploadfolder' => 0,
     'createDirs' => 'uploads/media',
     'clearCacheOnLoad' => 1,
-    'version' => '7.6.4',
+    'version' => '7.6.5',
     'constraints' => array(
         'depends' => array(
             'typo3' => '7.6.0-7.6.99',