typo3/sysext/core/ext_localconf.php · d3c9706c827074adaefd8a79ecf5024fa4b9c756 · accessibility / TYPO3.CMS

[SECURITY] Prevent edit of file metadata of files with no access · d3c9706c

Marc Bastian Heinrichs authored Apr 23, 2014 and

Benni Mack committed Jul 01, 2015

By forging edit URLs it was possible to edit
meta data records of files which were not
within a user mount.

Implement several hooks to check access to the file
and only grant access to a meta data record if the
user has access to the file.

Resolves: #56644
Releases: master, 6.2
Security-Bulletin: TYPO3-CORE-SA-2015-002
Change-Id: I0f0704af2e7f01d16b9420f9ba4ac1a7846b5270
Reviewed-on: http://review.typo3.org/40804

Reviewed-by: Benjamin Mack <benni@typo3.org>
Tested-by: Benjamin Mack <benni@typo3.org>
Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org>
Tested-by: Helmut Hummel <helmut.hummel@typo3.org>

d3c9706c