From 3ebb905fdf5e0cd37c007989f21965dbe03b4267 Mon Sep 17 00:00:00 2001 From: Helmut Hummel Date: Wed, 4 Sep 2013 13:13:56 +0200 Subject: [PATCH] [SECURITY] Add possibility to en-/disable file permission checks For admins and for front end request, we must be able to deactivate permission checks completely, while it must be possible to restrict backend users to not have any file permissions thus, not be able to see/change any file. Fixes: #51326 Releases: 6.2, 6.1, 6.0 Change-Id: I0b2ba16562d412e4a3bb523a54f7de317ea25c25 Security-Commit: eceac26733d6dff1826b149494532fb321274611 Security-Bulletin: TYPO3-CORE-SA-2013-003 Reviewed-on: https://review.typo3.org/23596 Reviewed-by: Oliver Hader Tested-by: Oliver Hader --- .../core/Classes/Resource/ResourceStorage.php | 80 ++++++++++++------- 1 file changed, 49 insertions(+), 31 deletions(-) diff --git a/typo3/sysext/core/Classes/Resource/ResourceStorage.php b/typo3/sysext/core/Classes/Resource/ResourceStorage.php index 5cf4c52d96be..87b842dbdc22 100644 --- a/typo3/sysext/core/Classes/Resource/ResourceStorage.php +++ b/typo3/sysext/core/Classes/Resource/ResourceStorage.php @@ -121,6 +121,16 @@ class ResourceStorage { */ protected $fileProcessingService; + /** + * Whether to check if file or folder is in user mounts + * and the action is allowed for a user + * Default is FALSE so that resources are accessible for + * front end rendering or admins. + * + * @var boolean + */ + protected $evaluatePermissions = FALSE; + /** * User filemounts, added as an array, and used as filters * @@ -500,31 +510,38 @@ class ResourceStorage { * @return boolean */ public function isWithinFileMountBoundaries($subject) { - $isWithinFilemount = TRUE; - if (is_array($this->fileMounts) && count($this->fileMounts)) { - $isWithinFilemount = FALSE; - if (!$subject) { - $subject = $this->getRootLevelFolder(); - } - $identifier = $subject->getIdentifier(); + if (!$this->evaluatePermissions) { + return TRUE; + } + $isWithinFilemount = FALSE; + if (!$subject) { + $subject = $this->getRootLevelFolder(); + } + $identifier = $subject->getIdentifier(); - // Allow access to processing folder - if ($this->driver->isWithin($this->getProcessingFolder(), $identifier)) { - $isWithinFilemount = TRUE; - } else { - // Check if the identifier of the subject is within at - // least one of the file mounts - foreach ($this->fileMounts as $fileMount) { - if ($this->driver->isWithin($fileMount['folder'], $identifier)) { - $isWithinFilemount = TRUE; - break; - } + // Allow access to processing folder + if ($this->driver->isWithin($this->getProcessingFolder(), $identifier)) { + $isWithinFilemount = TRUE; + } else { + // Check if the identifier of the subject is within at + // least one of the file mounts + foreach ($this->fileMounts as $fileMount) { + if ($this->driver->isWithin($fileMount['folder'], $identifier)) { + $isWithinFilemount = TRUE; + break; } } } return $isWithinFilemount; } + /** + * @param $evaluatePermissions + */ + public function setEvaluatePermissions($evaluatePermissions) { + $this->evaluatePermissions = (boolean) $evaluatePermissions; + } + /** * Sets the user permissions of the storage * @@ -544,18 +561,16 @@ class ResourceStorage { * @return bool */ public function checkUserActionPermission($action, $type) { - // TODO decide if we should return TRUE if no permissions are set - if (!empty($this->userPermissions)) { - $action = strtolower($action); - $type = ucfirst(strtolower($type)); - if ($this->userPermissions[$action . $type] == 0) { - return FALSE; - } else { - return TRUE; - } + if (!$this->evaluatePermissions) { + return TRUE; } - // TODO should the default be really TRUE? - return TRUE; + + $allow = FALSE; + if (!empty($this->userPermissions[strtolower($action) . ucfirst(strtolower($type))])) { + $allow = TRUE; + } + + return $allow; } /** @@ -583,7 +598,7 @@ class ResourceStorage { } // Check 3: Does the user have the right to perform the action? // (= is he within the file mount borders) - if (!$isProcessedFile && is_array($this->fileMounts) && count($this->fileMounts) && !$this->isWithinFileMountBoundaries($file)) { + if (!$isProcessedFile && !$this->isWithinFileMountBoundaries($file)) { return FALSE; } $isReadCheck = FALSE; @@ -640,7 +655,7 @@ class ResourceStorage { // Check 2: Does the user has the right to perform the action? // (= is he within the file mount borders) - if (is_array($this->fileMounts) && count($this->fileMounts) && !$this->isWithinFileMountBoundaries($folder)) { + if (!$this->isWithinFileMountBoundaries($folder)) { return FALSE; } $isReadCheck = FALSE; @@ -677,6 +692,9 @@ class ResourceStorage { * @return boolean TRUE if extension/filename is allowed */ protected function checkFileExtensionPermission($fileName) { + if (!$this->evaluatePermissions) { + return TRUE; + } $isAllowed = GeneralUtility::verifyFilenameAgainstDenyPattern($fileName); if ($isAllowed) { $fileInfo = GeneralUtility::split_fileref($fileName); -- 2.20.1