[SECURITY] Disallow access to fallback storage '0' 22/40822/2
authorNicole Cordes <typo3@cordes.co>
Wed, 17 Jun 2015 11:11:14 +0000 (13:11 +0200)
committerBenjamin Mack <benni@typo3.org>
Wed, 1 Jul 2015 14:23:06 +0000 (16:23 +0200)
All users with access to the filelist module are able to display the
content of the document root folder by spoofing the url.

This patch prevents any rendering from that storage and throws an error.

Resolves: #67538
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-005
Change-Id: Ic8f192696264f274e790f46c9cddc4f6ce6d5cd5
Reviewed-on: http://review.typo3.org/40822
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>
Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
typo3/sysext/filelist/Classes/Controller/FileListController.php

index 087b4d8..3672240 100644 (file)
@@ -16,6 +16,7 @@ namespace TYPO3\CMS\Filelist\Controller;
 
 use TYPO3\CMS\Backend\Utility\BackendUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Resource\Exception;
 
 /**
  * Script Class for creating the list of files in the File > Filelist module
@@ -126,6 +127,8 @@ class FileListController {
         *
         * @return void
         * @todo Define visibility
+        * @throws \RuntimeException
+        * @throws Exception\InsufficientFolderAccessPermissionsException
         */
        public function init() {
                // Setting GPvars:
@@ -148,9 +151,12 @@ class FileListController {
                                }
 
                                $this->folderObject = $fileFactory->getFolderObjectFromCombinedIdentifier($storage->getUid() . ':' . $identifier);
+                               // Disallow access to fallback storage 0
+                               if ($storage->getUid() === 0) {
+                                       throw new Exception\InsufficientFolderAccessPermissionsException('You are not allowed to access files outside your storages', 1434539815);
+                               }
                                // Disallow the rendering of the processing folder (e.g. could be called manually)
-                               // and all folders without any defined storage
-                               if ($this->folderObject && ($storage->getUid() === 0 || $storage->isProcessingFolder($this->folderObject))) {
+                               if ($this->folderObject && $storage->isProcessingFolder($this->folderObject)) {
                                        $this->folderObject = $storage->getRootLevelFolder();
                                }
                        } else {