Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be...
authorOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:37:59 +0000 (13:37 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Thu, 16 Dec 2010 13:37:59 +0000 (13:37 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-3@9773 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_tsparser.php

index b838ff6..6ce646d 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,6 +1,7 @@
 2010-12-16  Oliver Hader  <oliver@typo3.org>
 
        * Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
+       * Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be included (thanks to Fabrizio Branca)
 
 2010-12-01  Oliver Hader  <oliver@typo3.org>
 
index 8e4945c..17f2a7a 100644 (file)
@@ -534,17 +534,21 @@ class t3lib_TSparser {
                                                                case 'file':
                                                                        $filename = t3lib_div::getFileAbsFileName(trim($sourceParts[1]));
                                                                        if (strcmp($filename,''))       {       // Must exist and must not contain '..' and must be relative
-                                                                               if (@is_file($filename) && filesize($filename)<100000)  {       // Max. 100 KB include files!
-                                                                                               // check for includes in included text
-                                                                                       $includedFiles[] = $filename;
-                                                                                       $included_text = self::checkIncludeLines(t3lib_div::getUrl($filename),$cycle_counter+1, $returnFiles);
-                                                                                               // If the method also has to return all included files, merge currently included
-                                                                                               // files with files included by recursively calling itself
-                                                                                       if ($returnFiles && is_array($included_text)) {
-                                                                                               $includedFiles = array_merge($includedFiles, $included_text['files']);
-                                                                                               $included_text = $included_text['typoscript'];
+                                                                               if (t3lib_div::verifyFilenameAgainstDenyPattern($filename)) { // Check for allowed files
+                                                                                       if (@is_file($filename) && filesize($filename)<100000)  {       // Max. 100 KB include files!
+                                                                                                       // check for includes in included text
+                                                                                               $includedFiles[] = $filename;
+                                                                                               $included_text = self::checkIncludeLines(t3lib_div::getUrl($filename),$cycle_counter+1, $returnFiles);
+                                                                                                       // If the method also has to return all included files, merge currently included
+                                                                                                       // files with files included by recursively calling itself
+                                                                                               if ($returnFiles && is_array($included_text)) {
+                                                                                                       $includedFiles = array_merge($includedFiles, $included_text['files']);
+                                                                                                       $included_text = $included_text['typoscript'];
+                                                                                               }
+                                                                                               $newString.= $included_text.chr(10);
                                                                                        }
-                                                                                       $newString.= $included_text.chr(10);
+                                                                               } else {
+                                                                                       t3lib_div::sysLog('File "' . $filename . '" was not included since it is not allowed due to fileDenyPattern', 'Core', 2);
                                                                                }
                                                                        }
                                                                break;