[SECURITY] Deny arbitrary code execution possibility for editors 04/23604/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 4 Sep 2013 11:23:29 +0000 (13:23 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:23:33 +0000 (13:23 +0200)
commit481c05cd4ab640562723d1a096cf288be09bb2c9
treef44f09e0fca88a4b6b134dc2e98a63364e4b666d
parentdbc76c7c4e9aa2b43941ae36cbe8d591a8064485
[SECURITY] Deny arbitrary code execution possibility for editors

Because the filename is sanitized in the driver
after the check for denied file extensions is
performed, it was still possible to rename files
with denied file extensions.

We now perform the file extension check
on the final filename which is going to be used
by the driver.

This change makes the sanitizing method public
and introduces a basic implementation in
AbstractDriver to not break existing driver
implementations.

Change-Id: I74b3596e194e79135d7affa3111b3f9e40a72693
Fixes: #51495
Releases: 6.2, 6.1, 6.0
Security-Commit: d9aa75ad0169e90065656ca78b19ab966d1c76c1
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23604
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
typo3/sysext/core/Classes/Resource/ResourceStorage.php