[BUGFIX] Add guard clause to preFileAdd form hook 96/60596/2
authorSusanne Moog <susanne.moog@typo3.com>
Sat, 27 Apr 2019 14:51:27 +0000 (16:51 +0200)
committerRalf Zimmermann <ralf.zimmermann@tritum.de>
Sat, 27 Apr 2019 18:28:20 +0000 (20:28 +0200)
With the security fix in #f3445f964 checks on EXT:form file handling
were added to ensure secure form definition files. These checks are
based on FAL hooks. One of these - preFileAdd - contains checks based
on the content of the file to add, to do that, the file content is
fetched via file_get_contents. Due to a missing guard this was executed
for all file add operations instead of only for form definitions
resulting in performance loss and high memory usage. The check has
now been implemented.

Resolves: #88235
Releases: master, 9.5
Change-Id: Ie685df3d67d6ee58b1cd08f18acab1208a487ce7
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/60596
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Dominik Merkel <merkel.dominik@googlemail.com>
Tested-by: Ralf Zimmermann <ralf.zimmermann@tritum.de>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Dominik Merkel <merkel.dominik@googlemail.com>
Reviewed-by: Ralf Zimmermann <ralf.zimmermann@tritum.de>
typo3/sysext/form/Classes/Slot/FilePersistenceSlot.php

index 4e3bb81..7b87eb1 100644 (file)
@@ -137,6 +137,12 @@ class FilePersistenceSlot implements SingletonInterface
             $targetFolder,
             $targetFileName
         );
+        // while assertFileName below also checks if it's a form definition
+        // we want an early return here to get rid of the file_get_contents
+        // below which would be triggered on every file add command otherwise
+        if (!$this->isFormDefinition($combinedFileIdentifier)) {
+            return;
+        }
         $this->assertFileName(
             self::COMMAND_FILE_ADD,
             $combinedFileIdentifier,