[SECURITY] Fix arbitrary file disclosure in form extension 95/47595/2
authorSteffen Müller <typo3@t3node.com>
Tue, 12 Apr 2016 09:09:27 +0000 (11:09 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 12 Apr 2016 09:09:30 +0000 (11:09 +0200)
Resolves: #73459
Releases: 6.2
Security-Commit: ab36da69dbdf20e9940faf4ff7ead88657b9ed14
Security-Bulletins: TYPO3-CORE-SA-2016-009, 010, 011, 012
Change-Id: Ie9e38ee56c8df984653d4bab161087dd20cd065c
Reviewed-on: https://review.typo3.org/47595
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/form/Classes/Request.php

index 8fd4ee2..bdaa294 100644 (file)
@@ -275,6 +275,19 @@ class Request implements \TYPO3\CMS\Core\SingletonInterface {
                $formData = $this->getByMethod();
                if (isset($_FILES[$this->prefix]) && is_array($_FILES[$this->prefix])) {
                        foreach ($_FILES[$this->prefix]['tmp_name'] as $fieldName => $uploadedFile) {
+                               if (
+                                       $_FILES[$this->prefix]['error'][$fieldName] !== UPLOAD_ERR_OK
+                                       || !is_uploaded_file($_FILES[$this->prefix]['tmp_name'][$fieldName])
+                               ) {
+                                       unset($formData[$fieldName]);
+                                       continue;
+                               }
+                               # Remove items with blacklisted keys
+                               $formData[$fieldName] = array_diff_key(
+                                       $formData[$fieldName],
+                                       array('tempFilename' => 1, 'originalFilename' => 1, 'type' => 1, 'size' => 1)
+                               );
+
                                if (is_uploaded_file($uploadedFile)) {
                                        $tempFilename = \TYPO3\CMS\Core\Utility\GeneralUtility::upload_to_tempfile($uploadedFile);
                                        if (TYPO3_OS === 'WIN') {