[SECURITY] Identifiers may refer to resources outside the storage 05/23605/2
authorSteffen Ritter <info@rs-websystems.de>
Wed, 4 Sep 2013 11:23:36 +0000 (13:23 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:23:41 +0000 (13:23 +0200)
commit6592233f0b46b127f0b4a3b120b4950329d288b1
tree4f35eb8cdc68ca1f1914bf8c71da4461547d12ca
parent481c05cd4ab640562723d1a096cf288be09bb2c9
[SECURITY] Identifiers may refer to resources outside the storage

The Driver needs to canonicalize all incoming identifiers at first,
and than check for their validity on every action performed.
If a canonicalized path resided inside a storage it does not contain
any ../ anymore.
An exception is thrown in that case.

Change-Id: I4b11034e2adc98c9a5b7ebeddbe3c8ee54df16b5
Releases: 6.2, 6.1, 6.0
Fixes: #50883
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23605
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Resource/Driver/AbstractHierarchicalFilesystemDriver.php
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
typo3/sysext/core/Tests/Unit/Resource/Driver/LocalDriverTest.php