[SECURITY] Open shockwave inclusion in flvplayer.swf 74/45274/2
authorOliver Hader <oliver@typo3.org>
Tue, 15 Dec 2015 10:35:59 +0000 (11:35 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 15 Dec 2015 10:36:06 +0000 (11:36 +0100)
commit29ae05c04cb48d4031d323f17d8f2b68b27af353
tree71c191bc05a313f73d66f24741fa03b7721e00e3
parent420f5ed967931b085be2f548a82b654ae0177694
[SECURITY] Open shockwave inclusion in flvplayer.swf

File inclusion is now protected by an additional signed hash
from the providing server which is validated further in the
Flash Player. In case of mismatching hash values, no external
shockwave file will be loaded.

This feature has been moved to ext:mediace in TYPO3 7 LTS.

Resolves: #59417
Releases: 6.2, 4.5
Security-Commit: 6c4814ce17122b669e209836e6e361958ba07df0
Security-Bulletins: TYPO3-CORE-SA-2015-010, 011, 012, 013, 014, 015
Change-Id: I9cff37b97a101b5da2834e046137c025ecbbebcc
Reviewed-on: https://review.typo3.org/45274
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/contrib/flashmedia/flvplayer.swf
typo3/contrib/flashmedia/src/flvplayer.as
typo3/sysext/cms/ext_localconf.php
typo3/sysext/cms/tslib/PHP/ValidateHashEID.php [new file with mode: 0644]
typo3/sysext/frontend/Classes/ContentObject/ShockwaveFlashObjectContentObject.php