[BUGFIX] Prevent information disclosure in file list 98/39898/3
authorNicole Cordes <typo3@cordes.co>
Tue, 2 Jun 2015 14:32:52 +0000 (16:32 +0200)
committerSusanne Moog <typo3@susannemoog.de>
Fri, 17 Jul 2015 14:51:46 +0000 (16:51 +0200)
Currently the doc header title of a folder shows the full path even
if the current folder is inside a mount point. This patch prevents
showing the full path by not disabling the permission check but catch
a thrown exception and return the path inside the mount point.

Resolves: #67245
Releases: master, 6.2
Change-Id: I6e5486e8c6f923decc4016b57ff60a562f189749
Reviewed-on: http://review.typo3.org/39898
Reviewed-by: Markus Klein <markus.klein@typo3.org>
Tested-by: Harry Glatz <glatz@analog.de>
Reviewed-by: Susanne Moog <typo3@susannemoog.de>
Tested-by: Susanne Moog <typo3@susannemoog.de>
typo3/sysext/core/Classes/Resource/Folder.php

index 4675fb8..b284c09 100644 (file)
@@ -102,16 +102,18 @@ class Folder implements FolderInterface {
         * @return string
         */
        public function getReadablePath($rootId = NULL) {
-               $oldPermissionFlag = $this->getStorage()->getEvaluatePermissions();
-               $this->getStorage()->setEvaluatePermissions(FALSE);
                if ($rootId === NULL) {
-                       $rootId = $this->storage->getRootLevelFolder(FALSE)->getIdentifier();
+                       $rootId = $this->storage->getRootLevelFolder()->getIdentifier();
                }
-               $readablePath = '';
+               $readablePath = '/';
                if ($this->identifier !== $rootId) {
-                       $readablePath = $this->getParentFolder()->getReadablePath($rootId);
+                       try {
+                               $readablePath = $this->getParentFolder()->getReadablePath($rootId);
+                       } catch (Exception\InsufficientFolderAccessPermissionsException $e) {
+                               // May no access to parent folder (e.g. because of mount point)
+                               $readablePath = '/';
+                       }
                }
-               $this->getStorage()->setEvaluatePermissions($oldPermissionFlag);
                return $readablePath . $this->name . '/';
        }