[SECURITY] Prevent edit of file metadata of files with no access 04/40804/2 04/40804/3 04/40804/4
authorMarc Bastian Heinrichs <typo3@mbh-software.de>
Wed, 23 Apr 2014 15:28:46 +0000 (17:28 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:09:27 +0000 (16:09 +0200)
commitd3c9706c827074adaefd8a79ecf5024fa4b9c756
treef26b40996aa81237a82f9162a58429633382c9b4
parentedd2a1c53e038d81f28fad05cd606d6dd040c93d
[SECURITY] Prevent edit of file metadata of files with no access

By forging edit URLs it was possible to edit
meta data records of files which were not
within a user mount.

Implement several hooks to check access to the file
and only grant access to a meta data record if the
user has access to the file.

Resolves: #56644
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-002
Change-Id: I0f0704af2e7f01d16b9420f9ba4ac1a7846b5270
Reviewed-on: http://review.typo3.org/40804
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
typo3/sysext/backend/Classes/Form/Container/InlineRecordContainer.php
typo3/sysext/core/Classes/Resource/Security/FileMetadataPermissionsAspect.php [new file with mode: 0644]
typo3/sysext/core/Documentation/Changelog/master/Feature-56644-AddHookToInlineRecordContainerCheckAccess.rst [new file with mode: 0644]
typo3/sysext/core/ext_localconf.php