[SECURITY] Disallow access to fallback storage '0'
[Packages/TYPO3.CMS.git] / typo3 / sysext / filelist / Classes / Controller / FileListController.php
index fb6a79b..c7bace2 100644 (file)
@@ -142,6 +142,7 @@ class FileListController {
         *
         * @return void
         * @throws \RuntimeException
         *
         * @return void
         * @throws \RuntimeException
+        * @throws Exception\InsufficientFolderAccessPermissionsException
         */
        public function init() {
                // Setting GPvars:
         */
        public function init() {
                // Setting GPvars:
@@ -163,9 +164,12 @@ class FileListController {
                                }
 
                                $this->folderObject = $fileFactory->getFolderObjectFromCombinedIdentifier($storage->getUid() . ':' . $identifier);
                                }
 
                                $this->folderObject = $fileFactory->getFolderObjectFromCombinedIdentifier($storage->getUid() . ':' . $identifier);
+                               // Disallow access to fallback storage 0
+                               if ($storage->getUid() === 0) {
+                                       throw new Exception\InsufficientFolderAccessPermissionsException('You are not allowed to access files outside your storages', 1434539815);
+                               }
                                // Disallow the rendering of the processing folder (e.g. could be called manually)
                                // Disallow the rendering of the processing folder (e.g. could be called manually)
-                               // and all folders without any defined storage
-                               if ($this->folderObject && ($storage->getUid() === 0 || $storage->isProcessingFolder($this->folderObject))) {
+                               if ($this->folderObject && $storage->isProcessingFolder($this->folderObject)) {
                                        $this->folderObject = $storage->getRootLevelFolder();
                                }
                        } else {
                                        $this->folderObject = $storage->getRootLevelFolder();
                                }
                        } else {