[SECURITY] Prohibit accessing storage 0 from backend UI 08/23608/2
authorSteffen Ritter <info@rs-websystems.de>
Wed, 4 Sep 2013 11:23:59 +0000 (13:23 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Wed, 4 Sep 2013 11:24:03 +0000 (13:24 +0200)
Manually accessing backend entry-points regarding files passing
an identifier with storage 0 may allow unfiltered access for read,
write, rename, create and delete actions.

The user interface must never deal with storage 0. Therefore
implement checks for storage 0 as protection.

Change-Id: Ia387dfac3057760800171163ff91cd9f55cab4b5
Releases: 6.2, 6.1, 6.0
Fixes: #50886
Security-Commit: b813a875ad76aa7860b76602eb1f32dcfc9fadcd
Security-Bulletin: TYPO3-CORE-SA-2013-003
Reviewed-on: https://review.typo3.org/23608
Reviewed-by: Oliver Hader
Tested-by: Oliver Hader
typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
typo3/sysext/backend/Classes/Controller/File/EditFileController.php
typo3/sysext/backend/Classes/Controller/File/FileUploadController.php
typo3/sysext/backend/Classes/Controller/File/RenameFileController.php
typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php

index 26e3abb..f002548 100644 (file)
@@ -120,6 +120,10 @@ class CreateFolderController {
                        $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file_list.xlf:targetNoDir', TRUE);
                        throw new \RuntimeException($title . ': ' . $message, 1294586843);
                }
+               if ($this->folderObject->getStorage()->getUid() === 0) {
+                       throw new \TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException("You are not allowed to access folders outside your storages", 1375889838);
+               }
+
                // Setting the title and the icon
                $icon = \TYPO3\CMS\Backend\Utility\IconUtility::getSpriteIcon('apps-filetree-root');
                $this->title = $icon . htmlspecialchars($this->folderObject->getStorage()->getName()) . ': ' . htmlspecialchars($this->folderObject->getIdentifier());
index 2584026..cf49c40 100644 (file)
@@ -112,6 +112,10 @@ class EditFileController {
                        $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file_list.xlf:targetNoDir', TRUE);
                        throw new \RuntimeException($title . ': ' . $message, 1294586841);
                }
+               if ($this->fileObject->getStorage()->getUid() === 0) {
+                       throw new \TYPO3\CMS\Core\Resource\Exception\InsufficientFileAccessPermissionsException("You are not allowed to access files outside your storages", 1375889832);
+               }
+
                // Setting the title and the icon
                $icon = IconUtility::getSpriteIcon('apps-filetree-root');
                $this->title = $icon . htmlspecialchars($this->fileObject->getStorage()->getName()) . ': ' . htmlspecialchars($this->fileObject->getIdentifier());
index 87aa23a..088f27d 100644 (file)
@@ -106,6 +106,10 @@ class FileUploadController {
                if ($this->target) {
                        $this->folderObject = \TYPO3\CMS\Core\Resource\ResourceFactory::getInstance()->retrieveFileOrFolderObject($this->target);
                }
+               if ($this->folderObject->getStorage()->getUid() === 0) {
+                       throw new \TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException("You are not allowed to access folders outside your storages", 1375889834);
+               }
+
                // Cleaning and checking target directory
                if (!$this->folderObject) {
                        $title = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file_list.xlf:paramError', TRUE);
index f45d36f..3081a3a 100644 (file)
@@ -107,6 +107,10 @@ class RenameFileController {
                        $message = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_mod_file_list.xlf:targetNoDir', TRUE);
                        throw new \RuntimeException($title . ': ' . $message, 1294586844);
                }
+               if ($this->fileOrFolderObject->getStorage()->getUid() === 0) {
+                       throw new \TYPO3\CMS\Core\Resource\Exception\InsufficientFileAccessPermissionsException("You are not allowed to access files outside your storages", 1375889840);
+               }
+
                // If a folder should be renamed, AND the returnURL should go to the old directory name, the redirect is forced
                // so the redirect will NOT end in a error message
                // this case only happens if you select the folder itself in the foldertree and then use the clickmenu to
index 44fc3fd..f2d6085 100644 (file)
@@ -527,6 +527,9 @@ class ExtendedFileUtility extends \TYPO3\CMS\Core\Utility\File\BasicFileUtility
                if (!is_object($object)) {
                        throw new \TYPO3\CMS\Core\Resource\Exception\InvalidFileException('The item ' . $identifier . ' was not a file or directory!!', 1320122453);
                }
+               if ($object->getStorage()->getUid() === 0) {
+                       throw new \TYPO3\CMS\Core\Resource\Exception\InsufficientFileAccessPermissionsException("You are not allowed to access files outside your storages", 1375889830);
+               }
                return $object;
        }