[SECURITY] Disallow invalid encoding in GeneralUtility::validPathStr 40/50740/2
authorBenni Mack <benni@typo3.org>
Tue, 22 Nov 2016 10:09:16 +0000 (11:09 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Nov 2016 10:09:18 +0000 (11:09 +0100)
commit1fa900f938bb8aa8877e6db52082f1671515823f
tree5c1a02a6d699a50da330f4c37e0c911ec99288fa
parent9e5a190c21fe51ad65a7ecb1ac5230385f33478f
[SECURITY] Disallow invalid encoding in GeneralUtility::validPathStr

Directory names, which have an invalid UTF encoding,
cause the preg_match() to return false.
To avoid that the complete statement in GeneralUtility::validPathStr()
returns true in this case, a strict comparison against 0 is added,
so that we ensure that strings with invalid encodings are rejected
by this API method.

As a consequence UTF-16 encoded path names are rejected as well, if the
system / file system does not support them.

Resolves: #73453
Releases: master, 8.4, 7.6, 6.2
Security-Commit: 2a05bec1cfd6fdafdaba8de51369f1d86ca60db0
Security-Bulletins: TYPO3-CORE-SA-2016-023, 024
Change-Id: I875d45005b4a8b8d027fba078c9be399bb13a782
Reviewed-on: https://review.typo3.org/50740
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
composer.json
composer.lock
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php