[SECURITY] Avoid DoS in Online Media Helper 97/59097/2
authorOliver Hader <oliver@typo3.org>
Tue, 11 Dec 2018 09:56:37 +0000 (10:56 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 11 Dec 2018 09:56:38 +0000 (10:56 +0100)
Using large media files (*.youtube, *.vimeo in the TYPO3 core)
might lead to denial of service scenarios. In order to avoid
that, media files are limited to have a content size of 2048
bytes as a maximum. Usually these files contain just the remote
identifier - thus, ~20 bytes should have been sufficient already.

Resolves: #85381
Releases: master, 8.7, 7.6
Security-Commit: 38eec2deace776ed34d30b8e1e5e95fffec5db8a
Security-Bulletin: TYPO3-CORE-SA-2018-011
Change-Id: I0af4f27e2de6db43c2801f1f3143c9cdb6e21867
Reviewed-on: https://review.typo3.org/59097
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php

index 68e835c..61fbd9d 100644 (file)
@@ -59,6 +59,10 @@ abstract class AbstractOnlineMediaHelper implements OnlineMediaHelperInterface
     public function getOnlineMediaId(File $file)
     {
         if (!isset($this->onlineMediaIdCache[$file->getUid()])) {
+            // Limiting media identifier to 2048 bytes
+            if ($file->getSize() > 2048) {
+                return '';
+            }
             // By definition these files only contain the ID of the remote media source
             $this->onlineMediaIdCache[$file->getUid()] = trim($file->getContents());
         }