[SECURITY] Prevent edit of file metadata of files with no access 18/40818/2
authorMarc Bastian Heinrichs <typo3@mbh-software.de>
Thu, 18 Jun 2015 09:10:45 +0000 (11:10 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:20:25 +0000 (16:20 +0200)
commitbff9fa5945801d1d2c641ddc8eb86c6647549d80
tree05c17b7b41842da2e2abee49aa080251f8cb446b
parentfac6e134b29b613456de4e240719514a11cd2f20
[SECURITY] Prevent edit of file metadata of files with no access

By forging edit URLs it was possible to edit
meta data records of files which were not
within a user mount.

Implement several hooks to check access to the file
and only grant access to a meta data record if the
user has access to the file.

Resolves: #56644
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-002
Change-Id: I5e2de49e4af8cc68ecae604a9ef6b7e5917de769
Reviewed-on: http://review.typo3.org/40818
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/backend/Classes/Form/Element/InlineElement.php
typo3/sysext/core/Classes/Resource/Security/FileMetadataPermissionsAspect.php [new file with mode: 0644]
typo3/sysext/core/ext_localconf.php