[SECURITY] XSS in file list through file extension 17/62717/2
authorAndreas Fernandez <a.fernandez@scripting-base.de>
Tue, 17 Dec 2019 09:52:59 +0000 (10:52 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 17 Dec 2019 09:53:02 +0000 (10:53 +0100)
FAL currently filters invalid characters from file names stored by its
API. However, this sanitization took no effect when the file was placed
by e.g. uploads via FTP, which doesn't trigger FAL.

This patch adds a missing `htmlspecialchars` call when the file
extension is rendered and could not be sanitized before due to mentioned
circumstances.

Resolves: #88931
Releases: master, 9.5, 8.7
Security-Commit: 296c6a6723826b4ad2babbb1de5b9d23dfd256ea
Security-Bulletin: TYPO3-CORE-SA-2019-023
Change-Id: I24cbc623f6390944a608eadf3ebe7a13d294e0ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62717
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/filelist/Classes/FileList.php

index 91b9865..ce46380 100644 (file)
@@ -1003,7 +1003,7 @@ class FileList
                         $theData[$field] = '' . (!$fileObject->checkActionPermission('read') ? ' ' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('read')) . '</strong>') . (!$fileObject->checkActionPermission('write') ? '' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('write')) . '</strong>');
                         break;
                     case 'fileext':
-                        $theData[$field] = strtoupper($ext);
+                        $theData[$field] = htmlspecialchars(strtoupper($ext));
                         break;
                     case 'tstamp':
                         $theData[$field] = BackendUtility::date($fileObject->getModificationTime());