[!!!][BUGFIX] Do not disclose local path of file in TS 39/37839/6
authorBenjamin Mack <benni@typo3.org>
Sat, 14 Mar 2015 10:30:36 +0000 (11:30 +0100)
committerMarkus Klein <klein.t3@reelworx.at>
Sat, 28 Mar 2015 10:08:31 +0000 (11:08 +0100)
To avoid stale files, the TypoScript property for files
"localPath" is removed.

Resolves: #65727
Releases: master, 6.2
Change-Id: I5d34574c1efccd12a85eb263c4397bc73a9516f3
Reviewed-on: http://review.typo3.org/37839
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Markus Klein <klein.t3@reelworx.at>
Tested-by: Markus Klein <klein.t3@reelworx.at>
typo3/sysext/core/Documentation/Changelog/master/Breaking-65727-DontProvideAccessToLocalpathOfFalFiles.rst [new file with mode: 0644]
typo3/sysext/frontend/Classes/ContentObject/ContentObjectRenderer.php

diff --git a/typo3/sysext/core/Documentation/Changelog/master/Breaking-65727-DontProvideAccessToLocalpathOfFalFiles.rst b/typo3/sysext/core/Documentation/Changelog/master/Breaking-65727-DontProvideAccessToLocalpathOfFalFiles.rst
new file mode 100644 (file)
index 0000000..05f8965
--- /dev/null
@@ -0,0 +1,35 @@
+=================================================================
+Breaking - #65727: Don't provide access to localPath of FAL files
+=================================================================
+
+Description
+===========
+
+It was possible to retrieve the local path of a FAL file via TypoScript
+
+.. code-block:: ts
+
+       a = TEXT
+       a.value.data = file:current:localPath
+
+The localPath property is dropped for these reasons:
+  * The implementation used allow write access to the file and hence created a local copy which created useless file garbage.
+  * Changing this to read-only access would cause the LocalDriver to return the true local path to the file, which would open the possibility to file manipulation via "side channel" of FAL. This would make the FAL data inconsistent.
+
+
+Impact
+======
+
+Any TypoScript using this file-property will stop working.
+
+
+Affected Installations
+======================
+
+Any installation with TypoScript using this file-property
+
+
+Migration
+=========
+
+There is no other possibility to retrieve this information. Use the FAL API.
index 7171bd6..2f8fdba 100644 (file)
@@ -5794,9 +5794,6 @@ class ContentObjectRenderer {
                                case 'publicUrl':
                                        return $fileObject->getPublicUrl();
                                        break;
-                               case 'localPath':
-                                       return $fileObject->getForLocalProcessing();
-                                       break;
                                default:
                                        // Generic alternative here
                                        return $fileObject->getProperty($requestedFileInformationKey);