[SECURITY] Protect frame GET parameter in tx_cms_showpic eID

The "frame" parameter is no longer evaluated in the showpic eID as
it allowed uncontrolled resource consumption. This parameter was
actually never used by ContentObjectRenderer and existed since
the initial commit and is therefore put behind a feature flag.

Resolves: #103306
Releases: main, 13.1, 12.4, 11.5
Change-Id: I87019e58c078c8ccafc0b7ce42fe28b49dc068e4
Security-Bulletin: TYPO3-CORE-SA-2024-010
Security-References: CVE-2024-34358
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/84259
Reviewed-by: Oliver Hader <[email protected]>
Tested-by: Oliver Hader <[email protected]>

typo3/sysext/core/Configuration/DefaultConfiguration.php

@@ -78,6 +78,7 @@
             'security.frontend.enforceContentSecurityPolicy' => false,
             'security.frontend.allowInsecureSiteResolutionByQueryParameters' => false,
             'security.usePasswordPolicyForFrontendUsers' => false,
+            'security.frontend.allowInsecureFrameOptionInShowImageController' => false,
         ],
         'createGroup' => '',
         'sitename' => 'TYPO3',

typo3/sysext/core/Configuration/DefaultConfigurationDescription.yaml

@@ -208,6 +208,9 @@ SYS:
               security.frontend.enforceContentSecurityPolicy:
                 type: bool
                 description: 'If on, HTTP Content-Security-Policy header will be applied for each HTTP frontend request.'
+              security.frontend.allowInsecureFrameOptionInShowImageController:
+                type: bool
+                description: 'If on, the eID Script "tx_cms_showpic" respects the GET parameter "frame" without being signed. Should not be enabled as this allows uncontrolled resource consumption.'
               security.frontend.allowInsecureSiteResolutionByQueryParameters:
                 type: bool
                 description: 'If on, site resolution can be overwritten by `&id=...&L=...` parameters, URI path & host are just used as default.'

typo3/sysext/core/Documentation/Changelog/11.5.x/Important-103306-FrameGETParameterInTx_cms_showpicEIDDisabled.rst

@@ -0,0 +1,32 @@
+.. include:: /Includes.rst.txt
+
+.. _important-103306-1714976257:
+
+=======================================================================
+Important: #103306 - Frame GET parameter in tx_cms_showpic eID disabled
+=======================================================================
+
+See :issue:`103306`
+
+Description
+===========
+
+The show image controller (eID `tx_cms_showpic`) lacks a cryptographic
+HMAC-signature on the frame HTTP query parameter (e.g.
+`/index.php?eID=tx_cms_showpic?file=3&...&frame=12345`).
+This allows adversaries to instruct the system to produce an arbitrary number of
+thumbnail images on the server side.
+
+To prevent uncontrolled resource consumption, the frame HTTP query parameter is
+now ignored, since it could not be used by core APIs.
+
+The new feature flag
+`security.frontend.allowInsecureFrameOptionInShowImageController` — which is
+disabled per default — can be used to reactivate the previous behavior:
+
+..  code-block:: php
+
+    $GLOBALS['TYPO3_CONF_VARS']['SYS']['features']['security.frontend.allowInsecureFrameOptionInShowImageController'] = true;
+
+
+.. index:: Frontend, NotScanned, ext:frontend

typo3/sysext/frontend/Classes/Controller/ShowImageController.php

@@ -19,6 +19,7 @@
 
 use Psr\Http\Message\ResponseInterface;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Exception;
 use TYPO3\CMS\Core\Http\Response;
 use TYPO3\CMS\Core\Resource\File;
@@ -110,6 +111,10 @@ class ShowImageController
      */
     protected $imageTag = '<img src="###publicUrl###" alt="###alt###" title="###title###" width="###width###" height="###height###" />';
 
+    public function __construct(
+        protected readonly Features $features
+    ) {}
+
     /**
      * Init function, setting the input vars in the global space.
      *
@@ -154,7 +159,12 @@ public function initialize()
             throw new Exception('File processing for local storage is denied', 1594043425);
         }
 
-        $this->frame = $this->request->getQueryParams()['frame'] ?? null;
+        if ($this->features->isFeatureEnabled('security.frontend.allowInsecureFrameOptionInShowImageController')) {
+            $frameValue = $this->request->getQueryParams()['frame'] ?? null;
+            if ($frameValue !== null && MathUtility::canBeInterpretedAsInteger($frameValue)) {
+                $this->frame = (int)$frameValue;
+            }
+        }
     }
 
     /**

typo3/sysext/frontend/Configuration/Services.yaml

@@ -15,6 +15,9 @@ services:
     arguments:
       $cache: '@cache.assets'
 
+  TYPO3\CMS\Frontend\Controller\ShowImageController:
+    public: true
+
   TYPO3\CMS\Frontend\ContentObject\ContentDataProcessor:
     public: true
 

typo3/sysext/frontend/Tests/Functional/Controller/ShowImageControllerTest.php

@@ -22,6 +22,7 @@
 use PHPUnit\Framework\Attributes\Test;
 use PHPUnit\Framework\MockObject\MockObject;
 use Psr\Http\Message\ServerRequestInterface;
+use TYPO3\CMS\Core\Configuration\Features;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
@@ -49,6 +50,7 @@ protected function setUp(): void
             ->disableOriginalConstructor()
             ->getMock();
         $this->subject = $this->getMockBuilder(ShowImageController::class)
+            ->setConstructorArgs([new Features()])
             ->onlyMethods(['processImage'])
             ->getMock();
         GeneralUtility::setSingletonInstance(ResourceFactory::class, $this->resourceFactory);