[TASK] Move non-public files to typo3temp/var/ 05/45505/7
authorBenni Mack <benni@typo3.org>
Wed, 30 Dec 2015 13:35:14 +0000 (14:35 +0100)
committerBenni Mack <benni@typo3.org>
Tue, 12 Jan 2016 08:46:31 +0000 (09:46 +0100)
Add a subdirectory typo3temp/var/ (by default) which
contains all files which should never be accessible
for the web user.

In the future, this option should be configurable so it can
be put outside of the document root (e.g. via an
environment variable).

Resolves: #72479
Releases: master
Change-Id: Ia2e425a2ff55deac91c02b829c73036478995b0b
Reviewed-on: https://review.typo3.org/45505
Reviewed-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Tested-by: Mathias Schreiber <mathias.schreiber@wmdb.de>
Reviewed-by: Susanne Moog <typo3@susannemoog.de>
Tested-by: Susanne Moog <typo3@susannemoog.de>
21 files changed:
_.htaccess
typo3/sysext/core/Classes/Cache/Backend/SimpleFileBackend.php
typo3/sysext/core/Classes/Charset/CharsetConverter.php
typo3/sysext/core/Classes/Core/ClassLoadingInformation.php
typo3/sysext/core/Classes/Locking/FileLockStrategy.php
typo3/sysext/core/Classes/Locking/SemaphoreLockStrategy.php
typo3/sysext/core/Classes/Locking/SimpleLockStrategy.php
typo3/sysext/core/Classes/Log/Writer/FileWriter.php
typo3/sysext/core/Tests/Unit/Locking/SimpleLockStrategyTest.php
typo3/sysext/documentation/Classes/Service/DocumentationService.php
typo3/sysext/extensionmanager/Classes/Controller/UploadExtensionFileController.php
typo3/sysext/extensionmanager/Classes/Utility/Repository/Helper.php
typo3/sysext/extensionmanager/Classes/Utility/UpdateScriptUtility.php
typo3/sysext/install/Classes/FolderStructure/DefaultFactory.php
typo3/sysext/install/Classes/Report/InstallStatusReport.php
typo3/sysext/install/Classes/Service/CoreUpdateService.php
typo3/sysext/install/Classes/Service/SessionService.php
typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/typo3temp-var-htaccess [new file with mode: 0644]
typo3/sysext/lang/Classes/Service/TerService.php
typo3/sysext/rsaauth/Classes/Backend/CommandLineBackend.php
typo3/sysext/version/Classes/Hook/DataHandlerHook.php

index 954686c..b0b4960 100644 (file)
@@ -278,7 +278,7 @@ AddDefaultCharset utf-8
        # Access block for folders
        RewriteRule _(?:recycler|temp)_/ - [F]
        RewriteRule fileadmin/templates/.*\.(?:txt|ts)$ - [F]
-       RewriteRule typo3temp/logs/ - [F]
+       RewriteRule typo3temp/var/ - [F]
        RewriteRule ^(vendor|typo3_src) - [F]
        RewriteRule (?:typo3conf/ext|typo3/sysext|typo3/ext)/[^/]+/(?:Configuration|Resources/Private|Tests?)/ - [F]
 
index 48f91bf..e5c24e7 100644 (file)
@@ -97,8 +97,8 @@ class SimpleFileBackend extends \TYPO3\CMS\Core\Cache\Backend\AbstractBackend im
         parent::setCache($cache);
         if (empty($this->temporaryCacheDirectory)) {
             // If no cache directory was given with cacheDirectory
-            // configuration option, set it to a path below typo3temp/
-            $temporaryCacheDirectory = PATH_site . 'typo3temp/';
+            // configuration option, set it to a path below typo3temp/var/
+            $temporaryCacheDirectory = PATH_site . 'typo3temp/var/';
         } else {
             $temporaryCacheDirectory = $this->temporaryCacheDirectory;
         }
index c5b9a3c..be81939 100644 (file)
@@ -1040,7 +1040,7 @@ class CharsetConverter implements SingletonInterface
             if ($charset && GeneralUtility::validPathStr($charsetConvTableFile) && @is_file($charsetConvTableFile)) {
                 // Cache file for charsets:
                 // Caching brought parsing time for gb2312 down from 2400 ms to 150 ms. For other charsets we are talking 11 ms down to zero.
-                $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/cs/charset_' . $charset . '.tbl');
+                $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/var/charset/charset_' . $charset . '.tbl');
                 if ($cacheFile && @is_file($cacheFile)) {
                     $this->parsedCharsets[$charset] = unserialize(GeneralUtility::getUrl($cacheFile));
                 } else {
@@ -1099,8 +1099,8 @@ class CharsetConverter implements SingletonInterface
     public function initUnicodeData($mode = null)
     {
         // Cache files
-        $cacheFileCase = GeneralUtility::getFileAbsFileName('typo3temp/cs/cscase_utf-8.tbl');
-        $cacheFileASCII = GeneralUtility::getFileAbsFileName('typo3temp/cs/csascii_utf-8.tbl');
+        $cacheFileCase = GeneralUtility::getFileAbsFileName('typo3temp/var/charset/cscase_utf-8.tbl');
+        $cacheFileASCII = GeneralUtility::getFileAbsFileName('typo3temp/var/charset/csascii_utf-8.tbl');
         // Only process if the tables are not yet loaded
         switch ($mode) {
             case 'case':
@@ -1341,7 +1341,7 @@ class CharsetConverter implements SingletonInterface
             return 1;
         }
         // Use cached version if possible
-        $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/cs/cscase_' . $charset . '.tbl');
+        $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/var/charset/cscase_' . $charset . '.tbl');
         if ($cacheFile && @is_file($cacheFile)) {
             $this->caseFolding[$charset] = unserialize(GeneralUtility::getUrl($cacheFile));
             return 2;
@@ -1403,7 +1403,7 @@ class CharsetConverter implements SingletonInterface
             return 1;
         }
         // Use cached version if possible
-        $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/cs/csascii_' . $charset . '.tbl');
+        $cacheFile = GeneralUtility::getFileAbsFileName('typo3temp/var/charset/csascii_' . $charset . '.tbl');
         if ($cacheFile && @is_file($cacheFile)) {
             $this->toASCII[$charset] = unserialize(GeneralUtility::getUrl($cacheFile));
             return 2;
index e1c1538..bef37cc 100644 (file)
@@ -33,12 +33,12 @@ class ClassLoadingInformation
     /**
      * Base directory storing all autoload information
      */
-    const AUTOLOAD_INFO_DIR = 'typo3temp/autoload/';
+    const AUTOLOAD_INFO_DIR = 'typo3temp/var/autoload/';
 
     /**
      * Base directory storing all autoload information in testing context
      */
-    const AUTOLOAD_INFO_DIR_TESTS = 'typo3temp/autoload-tests/';
+    const AUTOLOAD_INFO_DIR_TESTS = 'typo3temp/var/autoload-tests/';
 
     /**
      * Name of file that contains all classes-filename mappings
index 518f187..81ff22d 100644 (file)
@@ -24,7 +24,7 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
  */
 class FileLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'typo3temp/locks/';
+    const FILE_LOCK_FOLDER = 'typo3temp/var/locks/';
 
     /**
      * @var resource File pointer if using flock method
@@ -50,7 +50,7 @@ class FileLockStrategy implements LockingStrategyInterface
         /*
          * Tests if the directory for simple locks is available.
          * If not, the directory will be created. The lock path is usually
-         * below typo3temp, typo3temp itself should exist already
+         * below typo3temp/var, typo3temp/var itself should exist already
          */
         $path = PATH_site . self::FILE_LOCK_FOLDER;
         if (!is_dir($path)) {
index f4c7a74..b560da4 100644 (file)
@@ -23,7 +23,7 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
  */
 class SemaphoreLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'typo3temp/locks/';
+    const FILE_LOCK_FOLDER = 'typo3temp/var/locks/';
 
     /**
      * @var mixed Identifier used for this lock
@@ -53,7 +53,7 @@ class SemaphoreLockStrategy implements LockingStrategyInterface
     {
         $path = PATH_site . self::FILE_LOCK_FOLDER;
         if (!is_dir($path)) {
-            // Not using mkdir_deep on purpose here, if typo3temp itself
+            // Not using mkdir_deep on purpose here, if typo3temp/var itself
             // does not exist, this issue should be solved on a different
             // level of the application.
             if (!GeneralUtility::mkdir($path)) {
index e4f9a6c..e34f075 100644 (file)
@@ -23,7 +23,7 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
  */
 class SimpleLockStrategy implements LockingStrategyInterface
 {
-    const FILE_LOCK_FOLDER = 'typo3temp/locks/';
+    const FILE_LOCK_FOLDER = 'typo3temp/var/locks/';
 
     /**
      * @var string File path used for this lock
@@ -53,10 +53,10 @@ class SimpleLockStrategy implements LockingStrategyInterface
     {
         // Tests if the directory for simple locks is available.
         // If not, the directory will be created. The lock path is usually
-        // below typo3temp, typo3temp itself should exist already
+        // below typo3temp/var, typo3temp/var itself should exist already
         $path = PATH_site . self::FILE_LOCK_FOLDER;
         if (!is_dir($path)) {
-            // Not using mkdir_deep on purpose here, if typo3temp itself
+            // Not using mkdir_deep on purpose here, if typo3temp/var itself
             // does not exist, this issue should be solved on a different
             // level of the application.
             if (!GeneralUtility::mkdir($path)) {
index ca56e38..fab6d49 100644 (file)
@@ -37,7 +37,7 @@ class FileWriter extends AbstractWriter
      *
      * @var string
      */
-    protected $defaultLogFileTemplate = 'typo3temp/logs/typo3_%s.log';
+    protected $defaultLogFileTemplate = 'typo3temp/var/logs/typo3_%s.log';
 
     /**
      * Log file handle storage
index 516a1f9..5dedcd3 100644 (file)
@@ -89,8 +89,8 @@ class SimpleLockStrategyTest extends UnitTestCase
     {
         return array(
             'not withing PATH_site' => array('/tmp/TYPO3-Lock-Test'),
-            'directory traversal' => array(PATH_site . 'typo3temp/../typo3temp/locks/foo'),
-            'directory traversal 2' => array(PATH_site . 'typo3temp/locks/../locks/foo'),
+            'directory traversal' => array(PATH_site . 'typo3temp/../typo3temp/var/locks/foo'),
+            'directory traversal 2' => array(PATH_site . 'typo3temp/var/locks/../../var/locks/foo'),
             'within uploads' => array(PATH_site . 'uploads/TYPO3-Lock-Test')
         );
     }
index 75880d1..680bc11 100644 (file)
@@ -38,7 +38,7 @@ class DocumentationService
             }
 
             // Cache file locally to be able to create a composer.json file when fetching a document
-            $absoluteCacheFilename = GeneralUtility::getFileAbsFileName('typo3temp/Documentation/documents.json');
+            $absoluteCacheFilename = GeneralUtility::getFileAbsFileName('typo3temp/var/transient/documents.json');
             GeneralUtility::writeFileToTypo3tempDir($absoluteCacheFilename, $json);
         }
         return $documents;
@@ -165,7 +165,7 @@ class DocumentationService
         $languageSegment = str_replace('_', '-', strtolower($language));
         $packageName = sprintf('%s-%s-%s.zip', $packagePrefix, $version, $languageSegment);
         $packageUrl = $url . 'packages/' . $packageName;
-        $absolutePathToZipFile = GeneralUtility::getFileAbsFileName('typo3temp/Documentation/' . $packageName);
+        $absolutePathToZipFile = GeneralUtility::getFileAbsFileName('typo3temp/var/transient/' . $packageName);
 
         $packages = $this->getAvailablePackages($url);
         if (empty($packages) || !isset($packages[$version][$language])) {
@@ -195,7 +195,7 @@ class DocumentationService
             $result = $this->unzipDocumentPackage($absolutePathToZipFile, $absoluteDocumentPath);
 
             // Create a composer.json file
-            $absoluteCacheFilename = GeneralUtility::getFileAbsFileName('typo3temp/Documentation/documents.json');
+            $absoluteCacheFilename = GeneralUtility::getFileAbsFileName('typo3temp/var/transient/documents.json');
             $documents = json_decode(file_get_contents($absoluteCacheFilename), true);
             foreach ($documents as $document) {
                 if ($document['key'] === $key) {
index fc4ff3c..a0fbc82 100644 (file)
@@ -323,7 +323,7 @@ class UploadExtensionFileController extends AbstractController
      */
     protected function copyExtensionFolderToTempFolder($extensionKey)
     {
-        $this->extensionBackupPath = PATH_site . 'typo3temp/' . $extensionKey . substr(sha1($extensionKey . microtime()), 0, 7) . '/';
+        $this->extensionBackupPath = PATH_site . 'typo3temp/var/transient/' . $extensionKey . substr(sha1($extensionKey . microtime()), 0, 7) . '/';
         GeneralUtility::mkdir($this->extensionBackupPath);
         GeneralUtility::copyDirectory(
             $this->fileHandlingUtility->getExtensionDir($extensionKey),
index e922838..7d2c45b 100644 (file)
@@ -168,8 +168,7 @@ class Helper implements \TYPO3\CMS\Core\SingletonInterface
      */
     public function getLocalExtListFile()
     {
-        $absFilePath = PATH_site . 'typo3temp/ExtensionManager/' . (int)$this->repository->getUid() . '.extensions.xml.gz';
-        return $absFilePath;
+        return PATH_site . 'typo3temp/var/ExtensionManager/' . (int)$this->repository->getUid() . '.extensions.xml.gz';
     }
 
     /**
@@ -209,8 +208,7 @@ class Helper implements \TYPO3\CMS\Core\SingletonInterface
      */
     public function getLocalMirrorListFile()
     {
-        $absFilePath = PATH_site . 'typo3temp/ExtensionManager/' . (int)$this->repository->getUid() . '.mirrors.xml.gz';
-        return $absFilePath;
+        return PATH_site . 'typo3temp/var/ExtensionManager/' . (int)$this->repository->getUid() . '.mirrors.xml.gz';
     }
 
     /**
index be4c155..84a590e 100644 (file)
@@ -108,7 +108,7 @@ class UpdateScriptUtility
         if (!preg_match('/<\?php.*namespace\s+([^;]+);.*class/is', $scriptSourceCode, $matches)) {
             // if no, rename the class with a unique name
             $className = 'ext_update' . md5($extensionKey . $scriptSourceCode);
-            $temporaryFileName = PATH_site . 'typo3temp/ExtensionManager/UpdateScripts/' . $className . '.php';
+            $temporaryFileName = PATH_site . 'typo3temp/var/transient/' . $className . '.php';
             if (!file_exists(GeneralUtility::getFileAbsFileName($temporaryFileName))) {
                 $scriptSourceCode = preg_replace('/^\s*class\s+ext_update\s+/m', 'class ' . $className . ' ', $scriptSourceCode);
                 GeneralUtility::writeFileToTypo3tempDir($temporaryFileName, $scriptSourceCode);
index b0e855b..8100379 100644 (file)
@@ -130,19 +130,32 @@ class DefaultFactory
                         )
                     ),
                     array(
-                        'name' => 'cs',
-                        'type' => DirectoryNode::class,
-                        'targetPermission' => $directoryPermission,
-                    ),
-                    array(
-                        'name' => 'Cache',
-                        'type' => DirectoryNode::class,
-                        'targetPermission' => $directoryPermission,
-                    ),
-                    array(
-                        'name' => 'locks',
+                        'name' => 'var',
                         'type' => DirectoryNode::class,
                         'targetPermission' => $directoryPermission,
+                        'children' => array(
+                            array(
+                                'name' => '.htaccess',
+                                'type' => FileNode::class,
+                                'targetPermission' => $filePermission,
+                                'targetContentFile' => PATH_site . 'typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/typo3temp-var-htaccess',
+                            ),
+                            array(
+                                'name' => 'charset',
+                                'type' => DirectoryNode::class,
+                                'targetPermission' => $directoryPermission,
+                            ),
+                            array(
+                                'name' => 'Cache',
+                                'type' => DirectoryNode::class,
+                                'targetPermission' => $directoryPermission,
+                            ),
+                            array(
+                                'name' => 'locks',
+                                'type' => DirectoryNode::class,
+                                'targetPermission' => $directoryPermission,
+                            )
+                        )
                     ),
                 ),
             ),
index c899501..a3d4d86 100644 (file)
@@ -73,8 +73,10 @@ class InstallStatusReport implements \TYPO3\CMS\Reports\StatusProviderInterface
             'typo3temp/assets/js/' => 2,
             // fallback storage of FAL
             'typo3temp/assets/_processed_/' => 0,
-            'typo3temp/cs/' => 2,
-            'typo3temp/locks/' => 2,
+            'typo3temp/var/' => 2,
+            'typo3temp/var/transient/' => 2,
+            'typo3temp/var/charset/' => 2,
+            'typo3temp/var/locks/' => 2,
             'typo3conf/' => 2,
             'typo3conf/ext/' => 0,
             'typo3conf/l10n/' => 0,
index d6f66d6..62a48ca 100644 (file)
@@ -97,7 +97,7 @@ class CoreUpdateService
      */
     public function initializeObject()
     {
-        $this->setDownloadTargetPath(PATH_site . 'typo3temp/core-update/');
+        $this->setDownloadTargetPath(PATH_site . 'typo3temp/var/transient/');
         $this->symlinkToCoreFiles = $this->discoverCurrentCoreSymlink();
         $this->downloadBaseUri = $this->coreVersionService->getDownloadBaseUri();
     }
index 7a71c2d..081f464 100644 (file)
@@ -22,12 +22,12 @@ use TYPO3\CMS\Core\Utility\GeneralUtility;
 class SessionService implements \TYPO3\CMS\Core\SingletonInterface
 {
     /**
-     * The path to our typo3temp (where we can write our sessions). Set in the
+     * The path to our typo3temp/var/ (where we can write our sessions). Set in the
      * constructor.
      *
      * @var string
      */
-    private $typo3tempPath;
+    private $basePath;
 
     /**
      * Path where to store our session files in typo3temp. %s will be
@@ -65,7 +65,7 @@ class SessionService implements \TYPO3\CMS\Core\SingletonInterface
      */
     public function __construct()
     {
-        $this->typo3tempPath = PATH_site . 'typo3temp/';
+        $this->basePath = PATH_site . 'typo3temp/var/';
         // Start our PHP session early so that hasSession() works
         $sessionSavePath = $this->getSessionSavePath();
         // Register our "save" session handler
@@ -105,7 +105,7 @@ class SessionService implements \TYPO3\CMS\Core\SingletonInterface
             );
         }
         $sessionSavePath = sprintf(
-            $this->typo3tempPath . $this->sessionPath,
+            $this->basePath . $this->sessionPath,
             GeneralUtility::hmac('session:' . $GLOBALS['TYPO3_CONF_VARS']['SYS']['encryptionKey'])
         );
         $this->ensureSessionSavePathExists($sessionSavePath);
@@ -406,7 +406,7 @@ class SessionService implements \TYPO3\CMS\Core\SingletonInterface
         $result = GeneralUtility::writeFile($sessionFile, $sessionData);
         if (!$result) {
             throw new Exception(
-                'Session file not writable. Please check permission on typo3temp/InstallToolSessions and its subdirectories.',
+                'Session file not writable. Please check permission on typo3temp/var/InstallToolSessions and its subdirectories.',
                 1424355157
             );
         }
diff --git a/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/typo3temp-var-htaccess b/typo3/sysext/install/Resources/Private/FolderStructureTemplateFiles/typo3temp-var-htaccess
new file mode 100644 (file)
index 0000000..104310d
--- /dev/null
@@ -0,0 +1,15 @@
+# This file restricts access to the typo3temp/var/ directory. It is
+# meant to protect temporary files which could contain sensible
+# information. Please do not touch.
+
+# Apache < 2.3
+<IfModule !mod_authz_core.c>
+       Order allow,deny
+       Deny from all
+       Satisfy All
+</IfModule>
+
+# Apache ≥ 2.3
+<IfModule mod_authz_core.c>
+       Require all denied
+</IfModule>
index 6d1aca6..75595ba 100644 (file)
@@ -132,7 +132,7 @@ class TerService extends TerUtility implements SingletonInterface
         try {
             $l10n = $this->fetchTranslation($extensionKey, $language, $mirrorUrl);
             if (is_array($l10n)) {
-                $absolutePathToZipFile = GeneralUtility::getFileAbsFileName('typo3temp/Language/' . $extensionKey . '-l10n-' . $language . '.zip');
+                $absolutePathToZipFile = GeneralUtility::getFileAbsFileName('typo3temp/var/transient/' . $extensionKey . '-l10n-' . $language . '.zip');
                 $relativeLanguagePath = 'l10n' . '/' . $language . '/';
                 $absoluteLanguagePath = GeneralUtility::getFileAbsFileName(PATH_typo3conf . $relativeLanguagePath);
                 $absoluteExtensionLanguagePath = GeneralUtility::getFileAbsFileName(PATH_typo3conf . $relativeLanguagePath . $extensionKey . '/');
index bf4ed96..897679d 100644 (file)
@@ -40,7 +40,7 @@ class CommandLineBackend extends AbstractBackend
     /**
      * Temporary directory. It is best of it is outside of the web site root and
      * not publicly readable.
-     * For now we use typo3temp/.
+     * For now we use typo3temp/var/ (stored in the variable without the trailing slash).
      *
      * @var string
      */
@@ -53,7 +53,6 @@ class CommandLineBackend extends AbstractBackend
     public function __construct()
     {
         $this->opensslPath = CommandUtility::getCommand('openssl');
-        $this->temporaryDirectory = PATH_site . 'typo3temp';
         // Get temporary directory from the configuration
         $extconf = unserialize($GLOBALS['TYPO3_CONF_VARS']['EXT']['extConf']['rsaauth']);
         if (
@@ -63,6 +62,8 @@ class CommandLineBackend extends AbstractBackend
             && is_writable($extconf['temporaryDirectory'])
         ) {
             $this->temporaryDirectory = $extconf['temporaryDirectory'];
+        } else {
+            $this->temporaryDirectory = PATH_site . 'typo3temp/var';
         }
     }
 
index 80f6d5a..c4e42b8 100644 (file)
@@ -825,7 +825,7 @@ class DataHandlerHook
             return;
         }
         // Lock file name:
-        $lockFileName = PATH_site . 'typo3temp/swap_locking/' . $table . ':' . $id . '.ser';
+        $lockFileName = PATH_site . 'typo3temp/var/swap_locking/' . $table . ':' . $id . '.ser';
         if (@is_file($lockFileName)) {
             $tcemainObj->newlog('A swapping lock file was present. Either another swap process is already running or a previous swap process failed. Ask your administrator to handle the situation.', 2);
             return;