[BUGFIX] T3editor: Honour fileDenyPattern on saving included TS 57/25057/2
authorStefan Neufeind <typo3.neufeind@speedpartner.de>
Tue, 29 Oct 2013 21:17:25 +0000 (22:17 +0100)
committerStefan Neufeind <typo3.neufeind@speedpartner.de>
Sat, 9 Nov 2013 15:29:08 +0000 (16:29 +0100)
fileDenyPattern is only checked on loading so far.
Needs to be added for saving as well taken into account, since
otherwise an arbitrary file (including .php) can be overwritten.

Change-Id: Ia7edc83c8954942fb848746abc0980a304a1a6df
Resolves: #53195
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25057
Reviewed-by: Stefan Neufeind
Tested-by: Stefan Neufeind
typo3/sysext/core/Classes/TypoScript/Parser/TypoScriptParser.php

index e0fab85..4bafaf8 100644 (file)
@@ -892,6 +892,9 @@ class TypoScriptParser {
                                        // Write the content to the file
                                        $realFileName = \TYPO3\CMS\Core\Utility\GeneralUtility::getFileAbsFileName($fileName);
                                        // Some file checks
+                                       if (!GeneralUtility::verifyFilenameAgainstDenyPattern($realFileName)) {
+                                               throw new \UnexpectedValueException(sprintf('File "%s" was not included since it is not allowed due to fileDenyPattern.', $fileName), 1382651858);
+                                       }
                                        if (empty($realFileName)) {
                                                throw new \UnexpectedValueException(sprintf('"%s" is not a valid file location.', $fileName), 1294586441);
                                        }