Fixed bug #15728: Extension Manager allows to download arbitrary files beyond PATH_si...
authorOliver Hader <oliver.hader@typo3.org>
Wed, 6 Oct 2010 08:12:57 +0000 (08:12 +0000)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 6 Oct 2010 08:12:57 +0000 (08:12 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@8962 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/mod/tools/em/class.em_index.php

index 18134ed..d96a581 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -2,6 +2,7 @@
 
        * Fixed bug #13650: Information disclosure in sys_actions (DB mount, usergroups) (thanks to Georg Ringer)
        * Fixed bug #15461: RemoveXSS exposes XSS vulnerability for double encoded characters (thanks to Marcus Krause)
+       * Fixed bug #15728: Extension Manager allows to download arbitrary files beyond PATH_site or rootpath (thanks to Marcus Krause)
 
 2010-09-24  Steffen Gebert  <steffen@steffen-gebert.de>
 
index 60b2d88..9c64dbd 100644 (file)
@@ -2065,7 +2065,7 @@ EXTENSION KEYS:
 
                                // Link for downloading extension has been clicked - deliver content stream:
                                $dlFile = $this->CMD['downloadFile'];
-                               if (t3lib_div::isFirstPartOfStr($dlFile,PATH_site) && t3lib_div::isFirstPartOfStr($dlFile,$absPath) && @is_file($dlFile))       {
+                               if (t3lib_div::isAllowedAbsPath($dlFile) && t3lib_div::isFirstPartOfStr($dlFile, PATH_site) && t3lib_div::isFirstPartOfStr($dlFile, $absPath) && @is_file($dlFile)) {
                                        $mimeType = 'application/octet-stream';
                                        Header('Content-Type: '.$mimeType);
                                        Header('Content-Disposition: attachment; filename='.basename($dlFile));