[SECURITY] Deny arbitrary code execution possibility for editors 98/23598/2
authorHelmut Hummel <helmut.hummel@typo3.org>
Wed, 4 Sep 2013 11:14:17 +0000 (13:14 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:14:20 +0000 (13:14 +0200)
commit5d9b4e33039f95d08523d805bf5a95a94b1955ba
treed7c0d7beb95172f5e8fd98a85e1d8a1b1b67cfa5
parenta7e77220cb3bad1ae83bae415e3ee4d3eda3611b
[SECURITY] Deny arbitrary code execution possibility for editors

Because the filename is sanitized in the driver
after the check for denied file extensions is
performed, it was still possible to rename files
with denied file extensions.

We now perform the file extension check
on the final filename which is going to be used
by the driver.

This change makes the sanitizing method public
and introduces a basic implementation in
AbstractDriver to not break existing driver
implementations.

Fixes: #51495
Releases: 6.2, 6.1, 6.0
Change-Id: I2c055b7b070a5e13c2172d1f20fdcd83ee597e08
Security-Commit: de60d4ef37fc582e6349d5fa8ed13ec30d4892ff
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23598
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
typo3/sysext/core/Classes/Resource/ResourceStorage.php