[SECURITY] Disallow invalid encoding in GeneralUtility::validPathStr 44/50744/2
authorBenni Mack <benni@typo3.org>
Tue, 22 Nov 2016 10:09:45 +0000 (11:09 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Nov 2016 10:09:48 +0000 (11:09 +0100)
commite8d9c8d1eaf10f35b14554c7ddb0a5c05dd5c5d2
tree471f100cf79aa9b5b06618a70b7fc0853bb4bbcd
parentefb1443e8a7bd933aa6fb7d2e3f2db9aaceb985b
[SECURITY] Disallow invalid encoding in GeneralUtility::validPathStr

Directory names, which have an invalid UTF encoding,
cause the preg_match() to return false.
To avoid that the complete statement in GeneralUtility::validPathStr()
returns true in this case, a strict comparison against 0 is added,
so that we ensure that strings with invalid encodings are rejected
by this API method.

As a consequence UTF-16 encoded path names are rejected as well, if the
system / file system does not support them.

Resolves: #73453
Releases: master, 8.4, 7.6, 6.2
Security-Commit: c54aa56d18815aa1867ec54358ad419ea03ec205
Security-Bulletins: TYPO3-CORE-SA-2016-023, 024
Change-Id: Iedd6628050d8cdf2efe429bcd7b577f5a6d11805
Reviewed-on: https://review.typo3.org/50744
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
composer.json
composer.lock
typo3/sysext/core/Classes/Utility/GeneralUtility.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php