Fixed #8674: Vulnerability of security bulletin typo3-20080611-1: Default value of...
authorIngmar Schlecht <ingmar.schlecht@typo3.org>
Wed, 11 Jun 2008 06:33:02 +0000 (06:33 +0000)
committerIngmar Schlecht <ingmar.schlecht@typo3.org>
Wed, 11 Jun 2008 06:33:02 +0000 (06:33 +0000)
git-svn-id: https://svn.typo3.org/TYPO3v4/Core/trunk@3795 709f56b5-9817-0410-a4d7-c38de5d9e867

ChangeLog
t3lib/class.t3lib_basicfilefunc.php
t3lib/class.t3lib_befunc.php
t3lib/class.t3lib_extfilefunc.php
t3lib/config_default.php
t3lib/stddb/tables.php
typo3/sysext/cms/tbl_tt_content.php
typo3/sysext/lang/locallang_core.xml

index ce2f20e..7004e52 100755 (executable)
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,7 @@
+2008-06-11  Ingmar Schlecht  <ingmar@typo3.org>
+
+       * Fixed #8674: Vulnerability of security bulletin typo3-20080611-1: Default value of fileDenyPattern allows arbitrary code execution on Apache (Patch by Henning Pingel, thanks!)
+
 2008-06-10  Benjamin Mack  <benni@typo3.org>
 
        * Fixed bug #8264: t3ditor - "+" (plus) signs are replaced by spaces (Thanks to Tobias Liebig)
index 654075f..020c987 100644 (file)
@@ -113,7 +113,7 @@ class t3lib_basicFileFunctions      {
         *
         *      A typical example of the array $f_ext is this:
         *              $f_ext['webspace']['allow']='';
-        *              $f_ext['webspace']['deny']='php3,php';
+        *              $f_ext['webspace']['deny']= PHP_EXTENSIONS_DEFAULT;
         *              $f_ext['ftpspace']['allow']='*';
         *              $f_ext['ftpspace']['deny']='';
         *      The control of fileextensions goes in two catagories. Webspace and Ftpspace. Webspace is folders accessible from a webbrowser (below TYPO3_DOCUMENT_ROOT) and ftpspace is everything else.
index 33783b2..16b9212 100755 (executable)
@@ -3926,6 +3926,17 @@ final class t3lib_BEfunc {
                                        '<a href="'.$url.'">',
                                        '</a>');
                        }
+                       
+                               // Check if fileDenyPattern was changed which is dangerous on Apache
+                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT ) {
+                               $warnings["file_deny_pattern"] = sprintf(
+                                       $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_pattern'),
+                                       '</br><pre>'.htmlspecialchars(FILE_DENY_PATTERN_DEFAULT).'</pre></br>');
+                       }
+                               // Check if fileDenyPattern allows to upload .htaccess files which is dangerous on Apache
+                       if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT && t3lib_div::verifyFilenameAgainstDenyPattern(".htaccess"))      {
+                               $warnings["file_deny_htaccess"] = $GLOBALS['LANG']->sL('LLL:EXT:lang/locallang_core.xml:warning.file_deny_htaccess');
+                       }
 
                                // Check if there are still updates to perform
                        if (!t3lib_div::compat_version(TYPO3_branch)) {
index cf2d6ce..72fc81d 100755 (executable)
@@ -94,7 +94,7 @@
  * You are allowed to copy/move folders between spaces (web/ftp) IF the destination has it's f_ext[]['allow'] set to '*'!
  *
  * Advice:
- * You should always exclude php-files from the webspace. This will keep people from uploading, copy/moving and renaming files to the php3/php-extension.
+ * You should always exclude php-files from the webspace. This will keep people from uploading, copy/moving and renaming files to become executable php scripts.
  * You should never mount a ftp_space 'below' the webspace so that it reaches into the webspace. This is because if somebody unzips a zip-file in the ftp-space so that it reaches out into the webspace this will be a violation of the safety
  * For example this is a bad idea: you have an ftp-space that is '/www/' and a web-space that is '/www/htdocs/'
  *
@@ -503,7 +503,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                        return $theDestFile;
                                                                } else $this->writelog(2,2,109,'File "%s" WAS NOT copied to "%s"! Write-permission problem?',Array($theFile,$theDestFile));
                                                        } else  $this->writelog(2,1,110,'Target or destination was not within your mountpoints! T="%s", D="%s"',Array($theFile,$theDestFile));
-                                               } else $this->writelog(2,1,111,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theDest.'/'));
+                                               } else $this->writelog(2,1,111,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'],$theDest.'/'));
                                        } else $this->writelog(2,1,112,'File "%s" already exists!',Array($theDestFile));
                                } else $this->writelog(2,1,113,'File "%s" exceeds the size-limit of %s bytes',Array($theFile,$this->maxCopyFileSize*1024));
                        } else $this->writelog(2,1,114,'You are not allowed to copy files','');
@@ -593,7 +593,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                        return $theDestFile;
                                                                } else $this->writelog(3,2,109,'File "%s" WAS NOT moved to "%s"! Write-permission problem?',Array($theFile,$theDestFile));
                                                        } else $this->writelog(3,1,110,'Target or destination was not within your mountpoints! T="%s", D="%s"',Array($theFile,$theDestFile));
-                                               } else $this->writelog(3,1,111,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theDest.'/'));
+                                               } else $this->writelog(3,1,111,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'],$theDest.'/'));
                                        } else $this->writelog(3,1,112,'File "%s" already exists!',Array($theDestFile));
                                } else $this->writelog(3,1,113,'File "%s" exceeds the size-limit of %s bytes',Array($theFile,$this->maxMoveFileSize*1024));
                        } else $this->writelog(3,1,114,'You are not allowed to move files','');
@@ -668,7 +668,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                                $this->writelog(5,0,1,'File renamed from "%s" to "%s"',Array($fileInfo['file'],$theNewName));
                                                                                                return $theRenameName;
                                                                                        } else $this->writelog(5,1,100,'File "%s" was not renamed! Write-permission problem in "%s"?',Array($theTarget,$fileInfo['path']));
-                                                                               } else $this->writelog(5,1,101,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                                                               } else $this->writelog(5,1,101,'Extension of file name "%s" was not allowed!',Array($fI['file']));
                                                                        } else $this->writelog(5,1,102,'You are not allowed to rename files!','');
                                                                } elseif ($type=='dir') {
                                                                        if ($this->actionPerms['renameFolder']) {
@@ -744,7 +744,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                        return $theNewFile;
                                                                                } else $this->writelog(8,1,100,'File "%s" was not created! Write-permission problem in "%s"?',Array($fI['file'], $theTarget));
                                                                        } else $this->writelog(8,1,107,'Fileextension "%s" is not a textfile format! (%s)',Array($fI['fileext'], $extList));
-                                                               } else $this->writelog(8,1,106,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                                               } else $this->writelog(8,1,106,'Extension of file name "%s" was not allowed!',Array($fI['file']));
                                                        } else $this->writelog(8,1,101,'File "%s" existed already!',Array($theNewFile));
                                                } else $this->writelog(8,1,102,'Destination path "%s" was not within your mountpoints!',Array($theTarget.'/'));
                                        } else $this->writelog(8,1,103,'You are not allowed to create files!','');
@@ -779,7 +779,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                return TRUE;
                                                        } else $this->writelog(9,1,100,'File "%s" was not saved! Write-permission problem in "%s"?',Array($theTarget,$fileInfo['path']));
                                                } else $this->writelog(9,1,102,'Fileextension "%s" is not a textfile format! (%s)',Array($fI['fileext'], $extList));
-                                       } else $this->writelog(9,1,103,'Fileextension "%s" was not allowed!',Array($fI['fileext']));
+                                       } else $this->writelog(9,1,103,'Extension of file name "%s" was not allowed!',Array($fI['file']));
                                } else $this->writelog(9,1,104,'You are not allowed to edit files!','');
                        } else $this->writelog(9,1,121,'Destination path "%s" was not within your mountpoints!',Array($fileInfo['path']));
                } else $this->writelog(9,2,123,'Target "%s" was not a file!',Array($theTarget));
@@ -815,7 +815,7 @@ class t3lib_extFileFunctions extends t3lib_basicFileFunctions       {
                                                                                return $theNewFile;
                                                                        } else $this->writelog(1,1,100,'Uploaded file could not be moved! Write-permission problem in "%s"?',Array($theTarget.'/'));
                                                                } else $this->writelog(1,1,101,'No unique filename available in "%s"!',Array($theTarget.'/'));
-                                                       } else $this->writelog(1,1,102,'Fileextension "%s" is not allowed in "%s"!',Array($fI['fileext'],$theTarget.'/'));
+                                                       } else $this->writelog(1,1,102,'Extension of file name "%s" is not allowed in "%s"!',Array($fI['file'], $theTarget.'/'));
                                                } else $this->writelog(1,1,103,'Destination path "%s" was not within your mountpoints!',Array($theTarget.'/'));
                                        } else $this->writelog(1,1,104,'The uploaded file exceeds the size-limit of %s bytes',Array($this->maxUploadFileSize*1024));
                                } else $this->writelog(1,1,105,'You are not allowed to upload files!','');
index b00fe17..9a6eef4 100755 (executable)
 
 if (!defined ('PATH_typo3conf'))       die ('The configuration path was not properly defined!');
 
+//Security related constant: Default value of fileDenyPattern
+define('FILE_DENY_PATTERN_DEFAULT', '\.php[3-6]?(\..*)?$|^\.htaccess$');
+
+//Security related constant: Comma separated list of file extensions that should be registered as php script file extensions
+define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6');
+
 $TYPO3_CONF_VARS = Array(
        'GFX' => array(         // Configuration of the image processing features in TYPO3. 'IM' and 'GD' are short for ImageMagick and  GD library respectively.
                'image_processing' => 1,                                // Boolean. Enables image processing features. Disabling this means NO image processing with either GD or IM!
@@ -70,7 +76,7 @@ $TYPO3_CONF_VARS = Array(
                'curlProxyTunnel' => 0,                                 // Boolean: If set, use a tunneled connection through the proxy (usefull for websense etc.).
                'curlProxyUserPass' => '',                              // String: Proxyserver authentication user:pass.
                'form_enctype' => 'multipart/form-data',        // String: This is the default form encoding type for most forms in TYPO3. It allows for file uploads to be in the form. However if file-upload is disabled for your PHP version even ordinary data sent with this encryption will not get to the server. So if you have file_upload disabled, you will have to change this to eg. 'application/x-www-form-urlencoded'
-               'textfile_ext' => 'txt,html,htm,css,inc,php,php3,tmpl,js,sql',  // Text file extensions. Those that can be edited. php,php3 cannot be edited in webspace if they are disallowed! Notice:
+               'textfile_ext' => 'txt,html,htm,css,inc,tmpl,js,sql,'.PHP_EXTENSIONS_DEFAULT,   // Text file extensions. Those that can be edited. Executable PHP files may not be editable in webspace if disallowed!  
                'contentTable' => '',                                   // This is the page-content table (Normally 'tt_content')
                'T3instID' => 'N/A',                                    // A unique installation ID - not used yet. The idea is that a TYPO3 installation can identify itself by this ID string to the Extension Repository on TYPO3.org so that we can keep a realistic count of serious TYPO3 installations.
                'binPath' => '',                                                // String: List of absolute paths where external programs should be searched for. Eg. '/usr/local/webbin/,/home/xyz/bin/'. (ImageMagick path have to be configured separately)
@@ -158,13 +164,13 @@ $TYPO3_CONF_VARS = Array(
                        // The control is done like this: If an extension matches 'allow' then the check returns true. If not and an extension matches 'deny' then the check return false. If no match at all, returns true.
                        // You list extensions comma-separated. If the value is a '*' every extension is matched
                        // If no fileextension, true is returned if 'allow' is '*', false if 'deny' is '*' and true if none of these matches
-                       // This configuration below accepts everything in ftpspace and everything in webspace except php3 or php files
+                       // This configuration below accepts everything in ftpspace and everything in webspace except php3,php4,php5 or php files
                'fileExtensions' => array (
-                       'webspace' => array('allow'=>'', 'deny'=>'php,php3,php4,php5,php6,php7'),
+                       'webspace' => array('allow'=>'', 'deny'=> PHP_EXTENSIONS_DEFAULT),
                        'ftpspace' => array('allow'=>'*', 'deny'=>'')
                ),
                'customPermOptions' => array(),                 // Array with sets of custom permission options. Syntax is; 'key' => array('header' => 'header string, language splitted', 'items' => array('key' => array('label, language splitted', 'icon reference', 'Description text, language splitted'))). Keys cannot contain ":|," characters.
-               'fileDenyPattern' => '\.php$|\.php.$',  // A regular expression that - if it matches a filename - will deny the file upload/rename or whatever in the webspace. Matching with eregi() (case-insensitive).
+               'fileDenyPattern' => FILE_DENY_PATTERN_DEFAULT ,        // A regular expression that - if it matches a filename - will deny the file upload/rename or whatever in the webspace. For security reasons, files with multiple extensions have to be denied on an Apache environment with mod_alias, if the filename contains a valid php handler in an arbitary position. Also, ".htaccess" files have to be denied. Matching with eregi() (case-insensitive). Default value is stored in constant FILE_DENY_PATTERN_DEFAULT
                'interfaces' => 'backend',                                      // This determines which interface options is available in the login prompt and in which order (All options: ",backend,backend_old,frontend")
                'useOnContextMenuHandler' => 1,                 // Boolean. If set, the context menus (clickmenus) in the backend are activated on right-click - although this is not a XHTML attribute!
                'loginLabels' => 'Username|Password|Interface|Log In|Log Out|Backend,Front End,Traditional Backend|Administration Login on ###SITENAME###|(Note: Cookies and JavaScript must be enabled!)|Important Messages:|Your login attempt did not succeed. Make sure to spell your username and password correctly, including upper/lowercase characters.',              // Language labels of the login prompt.
index 947402c..9417168 100755 (executable)
@@ -467,6 +467,9 @@ $FILEICONS = array(
        'tgz' => 'zip.gif',
        'gz' => 'zip.gif',
        'php3' => 'php3.gif',
+       'php4' => 'php3.gif',
+       'php5' => 'php3.gif',
+       'php6' => 'php3.gif',
        'php' => 'php3.gif',
        'ttf' => 'ttf.gif',
        'pcx' => 'pcx.gif',
index b8c07c4..c0c9b48 100755 (executable)
@@ -797,7 +797,7 @@ $TCA['tt_content'] = Array (
                                'type' => 'group',
                                'internal_type' => 'file',
                                'allowed' => '',        // Must be empty for disallowed to work.
-                               'disallowed' => 'php,php3',
+                               'disallowed' => PHP_EXTENSIONS_DEFAULT,
                                'max_size' => $GLOBALS['TYPO3_CONF_VARS']['BE']['maxFileSize'],
                                'uploadfolder' => 'uploads/media',
                                'show_thumbs' => '1',
@@ -1115,5 +1115,4 @@ $TCA['tt_content'] = Array (
 );
 
 
-
 ?>
\ No newline at end of file
index 9c84694..4ac52b3 100755 (executable)
@@ -193,7 +193,8 @@ Would you like to save now in order to refresh the display?</label>
                        <label index="cm.createNewRelation">Create new relation</label>
                        <label index="warning.install_password">The Install Tool is still using the default password &quot;joh316&quot;. Update this within the %sAbout section%s of the Install Tool.</label>
                        <label index="warning.backend_admin">The default backend user "admin" with password &quot;password&quot; is still present. %sEdit this account%s, either deleting it completely or changing the username and password.</label>
-                       <label index="warning.install_enabled">The Install Tool is enabled. Delete the file &quot;%s&quot; when you have finished setting up TYPO3.</label>
+                       <label index="warning.file_deny_pattern">The value of fileDenyPattern is not set to its default:%s If TYPO3 is running on Apache, a customized value might enable backend or frontend users to execute malicious php scripts.</label>
+                       <label index="warning.file_deny_htaccess">The current value of fileDenyPattern allows to upload/create files with the name ".htaccess". If TYPO3 is running on Apache, this enables backend or frontend users to create and execute php scripts. Please reset the value of fileDenyPattern to its default.</label>
                        <label index="warning.install_enabled_cmd">Click to remove the file now!</label>
                        <label index="warning.install_encryption">The encryption key is not set. Set it in the %sBasic Configuration section%s of the Install Tool.</label>
                        <label index="warning.install_update">This installation is not configured for the TYPO3 version it is running. If you did so intentionally, this message can be safely ignored. If you are unsure, visit the %sUpdate Wizard%s section of the Install Tool to see how TYPO3 would change.</label>