[SECURITY] Identifiers may refer to resources outside the storage 07/23607/2
authorSteffen Ritter <info@rs-websystems.de>
Wed, 4 Sep 2013 11:23:51 +0000 (13:23 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:23:56 +0000 (13:23 +0200)
commitf48a1c1bf553814b8867a9fd3022a4b8f4db6a64
treeac5d5138358aa0bed3b9548a6e39938715119ce5
parent5d9b4e33039f95d08523d805bf5a95a94b1955ba
[SECURITY] Identifiers may refer to resources outside the storage

The Driver needs to canonicalize all incoming identifiers at first,
and than check for their validity on every action performed.
If a canonicalized path resided inside a storage it does not contain
any ../ anymore.
An exception is thrown in that case.

Change-Id: I6114be2a517bb44753f92bea1b3b7dfdd42a2f1f
Releases: 6.2, 6.1, 6.0
Fixes: #50883
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23607
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/core/Classes/Resource/Driver/AbstractHierarchicalFilesystemDriver.php
typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
typo3/sysext/core/Tests/Unit/Resource/Driver/LocalDriverTest.php