Fixed bug #11369: jumpUrl should only allow files matching fileDenyPattern (thanks...
authorMichael Stucki <michael.stucki@typo3.org>
Tue, 23 Jun 2009 14:11:03 +0000 (14:11 +0000)
committerMichael Stucki <michael.stucki@typo3.org>
Tue, 23 Jun 2009 14:11:03 +0000 (14:11 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-2@5628 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
typo3/sysext/cms/tslib/class.tslib_fe.php

index 2031576..a30fbec 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,6 @@
 2009-06-23  Michael Stucki  <michael@typo3.org>
 
+       * Fixed bug #11369: jumpUrl should only allow files matching fileDenyPattern (thanks to Ingmar Schlecht)
        * Fixed bug #11368: Ignore ENABLE_INSTALL_TOOL file if it is older than one hour
 
 2009-05-18  Oliver Hader  <oliver@typo3.org>
index eaa990e..f7aa974 100755 (executable)
@@ -2530,15 +2530,18 @@ require_once (PATH_t3lib.'class.t3lib_lock.php');
                                if ($juHash == $calcJuHash)     {
                                        if ($this->locDataCheck($locationData)) {
                                                $this->jumpurl = rawurldecode($this->jumpurl);  // 211002 - goes with cObj->filelink() rawurlencode() of filenames so spaces can be allowed.
-                                               if (@is_file($this->jumpurl))   {
-                                                       $mimeType = t3lib_div::_GP('mimeType');
-                                                       $mimeType = $mimeType ? $mimeType : 'application/octet-stream';
-                                                       header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
-                                                       header('Content-Type: '.$mimeType);
-                                                       header('Content-Disposition: attachment; filename='.basename($this->jumpurl));
-                                                       readfile($this->jumpurl);
-                                                       exit;
-                                               } else die('jumpurl Secure: "'.$this->jumpurl.'" was not a valid file!');
+                                                       // Deny access to files that match TYPO3_CONF_VARS[SYS][fileDenyPattern] and whose parent directory is typo3conf/ (there could be a backup file in typo3conf/ which does not match against the fileDenyPattern)
+                                               if (t3lib_div::verifyFilenameAgainstDenyPattern($this->jumpurl) && basename(dirname($this->jumpurl)) !== 'typo3conf') {
+                                                       if (@is_file($this->jumpurl)) {
+                                                               $mimeType = t3lib_div::_GP('mimeType');
+                                                               $mimeType = $mimeType ? $mimeType : 'application/octet-stream';
+                                                               header('Cache-Control: must-revalidate, post-check=0, pre-check=0');
+                                                               header('Content-Type: '.$mimeType);
+                                                               header('Content-Disposition: attachment; filename='.basename($this->jumpurl));
+                                                               readfile($this->jumpurl);
+                                                               exit;
+                                                       } else die('jumpurl Secure: "'.$this->jumpurl.'" was not a valid file!');
+                                               } else die('jumpurl Secure: The requested file type was not allowed to be accessed through jumpUrl (fileDenyPattern)!');
                                        } else die('jumpurl Secure: locationData, '.$locationData.', was not accessible.');
                                } else die('jumpurl Secure: Calculated juHash did not match the submitted juHash.');
                        } else {