Fixed bug #15728: Extension Manager allows to download arbitrary files beyond PATH_si...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 6 Oct 2010 08:13:42 +0000 (08:13 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 6 Oct 2010 08:13:42 +0000 (08:13 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@8965 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/em/mod1/class.em_index.php

index ea0d146..ce0ff85 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,7 @@
        * Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
        * Follow-up to bug #15461: Added unit tests (thanks to Marcus Krause)
        * Fixed bug #15887: XSS in template analyzer (thanks to Georg Ringer)
        * Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
        * Follow-up to bug #15461: Added unit tests (thanks to Marcus Krause)
        * Fixed bug #15887: XSS in template analyzer (thanks to Georg Ringer)
+       * Fixed bug #15728: Extension Manager allows to download arbitrary files beyond PATH_site or rootpath (thanks to Marcus Krause)
 
 2010-10-05  Steffen Gebert  <steffen@steffen-gebert.de>
 
 
 2010-10-05  Steffen Gebert  <steffen@steffen-gebert.de>
 
index 0284596..075081a 100644 (file)
@@ -2288,7 +2288,7 @@ EXTENSION KEYS:
 
                                // Link for downloading extension has been clicked - deliver content stream:
                                $dlFile = $this->CMD['downloadFile'];
 
                                // Link for downloading extension has been clicked - deliver content stream:
                                $dlFile = $this->CMD['downloadFile'];
-                               if (t3lib_div::isFirstPartOfStr($dlFile,PATH_site) && t3lib_div::isFirstPartOfStr($dlFile,$absPath) && @is_file($dlFile))       {
+                               if (t3lib_div::isAllowedAbsPath($dlFile) && t3lib_div::isFirstPartOfStr($dlFile, PATH_site) && t3lib_div::isFirstPartOfStr($dlFile, $absPath) && @is_file($dlFile)) {
                                        $mimeType = 'application/octet-stream';
                                        Header('Content-Type: '.$mimeType);
                                        Header('Content-Disposition: attachment; filename='.basename($dlFile));
                                        $mimeType = 'application/octet-stream';
                                        Header('Content-Type: '.$mimeType);
                                        Header('Content-Disposition: attachment; filename='.basename($dlFile));