[SECURITY] Protect frame GET parameter in tx_cms_showpic eID

The "frame" parameter is no longer evaluated in the showpic eID as it allowed uncontrolled resource consumption. This parameter was actually never used by ContentObjectRenderer and existed since the initial commit and is therefore put behind a feature flag. Resolves: #103306 Releases: main, 13.1, 12.4, 11.5 Change-Id: I87019e58c078c8ccafc0b7ce42fe28b49dc068e4 Security-Bulletin: TYPO3-CORE-SA-2024-010 Security-References: CVE-2024-34358 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84256 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · May 14, 2024 · 05c95fe · 05c95fe
1 parent 3764749
commit 05c95fe
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 1 deletion.
diff --git a/typo3/sysext/core/Configuration/DefaultConfiguration.php b/typo3/sysext/core/Configuration/DefaultConfiguration.php
@@ -76,6 +76,7 @@
             'security.frontend.htmlSanitizeParseFuncDefault' => true,
             'security.frontend.enforceLoginSigning' => true,
             'security.frontend.allowInsecureSiteResolutionByQueryParameters' => false,
+            'security.frontend.allowInsecureFrameOptionInShowImageController' => false,
             'security.backend.htmlSanitizeRte' => false,
             'security.backend.enforceReferrer' => true,
             'yamlImportsFollowDeclarationOrder' => false,

diff --git a/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml b/typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml
@@ -224,6 +224,9 @@ SYS:
               yamlImportsFollowDeclarationOrder:
                 type: bool
                 description: 'If on, the YAML imports are imported in the order they are defined in the importing YAML configuration.'
+              security.frontend.allowInsecureFrameOptionInShowImageController:
+                type: bool
+                description: 'If on, the eID Script "tx_cms_showpic" respects the GET parameter "frame" without being signed. Should not be enabled as this allows uncontrolled resource consumption.'
               security.frontend.allowInsecureSiteResolutionByQueryParameters:
                 type: bool
                 description: 'If on, site resolution can be overwritten by `&id=...&L=...` parameters, URI path & host are just used as default.'

diff --git a/...ngelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst b/...ngelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst
@@ -0,0 +1,32 @@
+.. include:: /Includes.rst.txt
+
+.. _important-103306-1714976257:
+
+=======================================================================
+Important: #103306 - Frame GET parameter in tx_cms_showpic eID disabled
+=======================================================================
+
+See :issue:`103306`
+
+Description
+===========
+
+The show image controller (eID `tx_cms_showpic`) lacks a cryptographic
+HMAC-signature on the frame HTTP query parameter (e.g.
+`/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
+This allows adversaries to instruct the system to produce an arbitrary number of
+thumbnail images on the server side.
+
+To prevent uncontrolled resource consumption, the frame HTTP query parameter is
+now ignored, since it could not be used by core APIs.
+
+The new feature flag
+`security.frontend.allowInsecureFrameOptionInShowImageController` — which is
+disabled per default — can be used to reactivate the previous behavior:
+
+..  code-block:: php
+
+    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowInsecureFrameOptionInShowImageController'] = true;
+
+
+.. index:: Frontend, NotScanned, ext:frontend
diff --git a/typo3/sysext/frontend/Classes/Controller/ShowImageController.php b/typo3/sysext/frontend/Classes/Controller/ShowImageController.php
@@ -17,6 +17,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Resource\File;
@@ -152,7 +153,12 @@ public function initialize()
             throw new Exception('File processing for local storage is denied', 1594043425);
         }
 
-        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
+        if (GeneralUtility::makeInstance(Features::class)->isFeatureEnabled('security.frontend.allowInsecureFrameOptionInShowImageController')) {
+            $frameValue = $this->request->getQueryParams()['frame'] ?? null;
+            if ($frameValue !== null && MathUtility::canBeInterpretedAsInteger($frameValue)) {
+                $this->frame = (int)$frameValue;
+            }
+        }
     }
 
     /**