[BUGFIX] T3editor: Honour fileDenyPattern on saving included TS 46/25046/2
authorStefan Neufeind <typo3.neufeind@speedpartner.de>
Tue, 29 Oct 2013 11:31:23 +0000 (12:31 +0100)
committerGeorg Ringer <georg.ringer@gmail.com>
Tue, 29 Oct 2013 12:40:38 +0000 (13:40 +0100)
fileDenyPattern is only checked on loading so far.
Needs to be added for saving as well taken into account, since
otherwise an arbitrary file (including .php) can be overwritten.

Change-Id: Ia7edc83c8954942fb848746abc0980a304a1a6df
Resolves: #53195
Releases: 6.2, 6.1, 6.0, 4.7, 4.5
Reviewed-on: https://review.typo3.org/25046
Reviewed-by: Francois Suter
Tested-by: Francois Suter
Reviewed-by: Georg Ringer
Tested-by: Georg Ringer
typo3/sysext/core/Classes/TypoScript/Parser/TypoScriptParser.php

index 4cc6c13..98e9385 100644 (file)
@@ -990,6 +990,9 @@ class TypoScriptParser {
 
                                        if ($inIncludePart === 'FILE') {
                                                // Some file checks
+                                               if (!GeneralUtility::verifyFilenameAgainstDenyPattern($realFileName)) {
+                                                       throw new \UnexpectedValueException(sprintf('File "%s" was not included since it is not allowed due to fileDenyPattern.', $fileName), 1382651858);
+                                               }
                                                if (empty($realFileName)) {
                                                        throw new \UnexpectedValueException(sprintf('"%s" is not a valid file location.', $fileName), 1294586441);
                                                }