From 5d9b4e33039f95d08523d805bf5a95a94b1955ba Mon Sep 17 00:00:00 2001 From: Helmut Hummel Date: Wed, 4 Sep 2013 13:14:17 +0200 Subject: [PATCH] [SECURITY] Deny arbitrary code execution possibility for editors Because the filename is sanitized in the driver after the check for denied file extensions is performed, it was still possible to rename files with denied file extensions. We now perform the file extension check on the final filename which is going to be used by the driver. This change makes the sanitizing method public and introduces a basic implementation in AbstractDriver to not break existing driver implementations. Fixes: #51495 Releases: 6.2, 6.1, 6.0 Change-Id: I2c055b7b070a5e13c2172d1f20fdcd83ee597e08 Security-Commit: de60d4ef37fc582e6349d5fa8ed13ec30d4892ff Security-Bulletin: TYPO3-CORE-SA-2013-003 Reviewed-on: https://review.typo3.org/23598 Reviewed-by: Oliver Hader Tested-by: Oliver Hader --- .../core/Classes/Resource/Driver/AbstractDriver.php | 12 ++++++++++++ .../core/Classes/Resource/Driver/LocalDriver.php | 3 ++- .../sysext/core/Classes/Resource/ResourceStorage.php | 1 + 3 files changed, 15 insertions(+), 1 deletion(-) diff --git a/typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php b/typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php index de0d37854f24..b926db7438bd 100644 --- a/typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php +++ b/typo3/sysext/core/Classes/Resource/Driver/AbstractDriver.php @@ -380,6 +380,18 @@ abstract class AbstractDriver { */ abstract public function getFileInfoByIdentifier($identifier); + /** + * Basic implementation of the method that does directly return the + * file name as is. + * + * @param string $fileName Input string, typically the body of a fileName + * @param string $charset Charset of the a fileName (defaults to current charset; depending on context) + * @return string Output string with any characters not matching [.a-zA-Z0-9_-] is substituted by '_' and trailing dots removed + */ + public function sanitizeFileName($fileName, $charset = '') { + return $fileName; + } + /** * Returns information about a file for a given file object. * diff --git a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php index 7bd01349e96f..b62846acd88c 100644 --- a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php +++ b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php @@ -248,8 +248,9 @@ class LocalDriver extends AbstractHierarchicalFilesystemDriver { * @param string $fileName Input string, typically the body of a fileName * @param string $charset Charset of the a fileName (defaults to current charset; depending on context) * @return string Output string with any characters not matching [.a-zA-Z0-9_-] is substituted by '_' and trailing dots removed + * @throws \TYPO3\CMS\Core\Resource\Exception\InvalidFileNameException */ - protected function sanitizeFileName($fileName, $charset = '') { + public function sanitizeFileName($fileName, $charset = '') { // Handle UTF-8 characters if ($GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem']) { // Allow ".", "-", 0-9, a-z, A-Z and everything beyond U+C0 (latin capital letter a with grave) diff --git a/typo3/sysext/core/Classes/Resource/ResourceStorage.php b/typo3/sysext/core/Classes/Resource/ResourceStorage.php index 87b842dbdc22..03b41e09009d 100644 --- a/typo3/sysext/core/Classes/Resource/ResourceStorage.php +++ b/typo3/sysext/core/Classes/Resource/ResourceStorage.php @@ -695,6 +695,7 @@ class ResourceStorage { if (!$this->evaluatePermissions) { return TRUE; } + $fileName = $this->driver->sanitizeFileName($fileName); $isAllowed = GeneralUtility::verifyFilenameAgainstDenyPattern($fileName); if ($isAllowed) { $fileInfo = GeneralUtility::split_fileref($fileName); -- 2.20.1