Commit 1432d9ec authored by Benni Mack's avatar Benni Mack Committed by Susanne Moog
Browse files

[!!!][TASK] Remove BE/fileExtensions/webspace

The option $TYPO3_CONF_VARS[BE][fileExtensions][webspace][*]
is removed.

It was only used in some specific cases, whereas fileDenyPattern usage
is more consistently done and replaces this setting.

Resolves: #83081
Releases: master
Change-Id: I1327ad000c08d8619366c03838b01261f91fa945
Reviewed-on: https://review.typo3.org/54634


Tested-by: default avatarTYPO3com <no-reply@typo3.com>
Reviewed-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Tested-by: Benni Mack's avatarBenni Mack <benni@typo3.org>
Reviewed-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Tested-by: Christian Kuhn's avatarChristian Kuhn <lolli@schwarzbu.ch>
Reviewed-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
Tested-by: Susanne Moog's avatarSusanne Moog <susanne.moog@typo3.org>
parent f8c9afec
......@@ -719,34 +719,7 @@ class ResourceStorage implements ResourceStorageInterface
protected function checkFileExtensionPermission($fileName)
{
$fileName = $this->driver->sanitizeFileName($fileName);
$isAllowed = GeneralUtility::verifyFilenameAgainstDenyPattern($fileName);
if ($isAllowed && $this->evaluatePermissions) {
$fileExtension = strtolower(PathUtility::pathinfo($fileName, PATHINFO_EXTENSION));
// Set up the permissions for the file extension
$fileExtensionPermissions = $GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']['webspace'];
$fileExtensionPermissions['allow'] = GeneralUtility::uniqueList(strtolower($fileExtensionPermissions['allow']));
$fileExtensionPermissions['deny'] = GeneralUtility::uniqueList(strtolower($fileExtensionPermissions['deny']));
if ($fileExtension !== '') {
// If the extension is found amongst the allowed types, we return TRUE immediately
if ($fileExtensionPermissions['allow'] === '*' || GeneralUtility::inList($fileExtensionPermissions['allow'], $fileExtension)) {
return true;
}
// If the extension is found amongst the denied types, we return FALSE immediately
if ($fileExtensionPermissions['deny'] === '*' || GeneralUtility::inList($fileExtensionPermissions['deny'], $fileExtension)) {
return false;
}
// If no match we return TRUE
return true;
}
if ($fileExtensionPermissions['allow'] === '*') {
return true;
}
if ($fileExtensionPermissions['deny'] === '*') {
return false;
}
return true;
}
return $isAllowed;
return GeneralUtility::verifyFilenameAgainstDenyPattern($fileName);
}
/**
......
......@@ -53,7 +53,11 @@ class BasicFileUtility
* Allowed and denied file extensions
* @var array
*/
protected $fileExtensionPermissions = [];
protected $fileExtensionPermissions = [
'allow' => '*',
'deny' => PHP_EXTENSIONS_DEFAULT
];
/**********************************
*
......@@ -61,16 +65,6 @@ class BasicFileUtility
*
**********************************/
/**
* Constructor,
* Initializes the internal array $this->fileExtensionPermissions based on TYPO3_CONF_VARS
*/
public function __construct()
{
$this->fileExtensionPermissions['allow'] = GeneralUtility::uniqueList(strtolower($GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']['webspace']['allow']));
$this->fileExtensionPermissions['deny'] = GeneralUtility::uniqueList(strtolower($GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']['webspace']['deny']));
}
/**
* Sets the file permissions, used in DataHandler e.g.
*
......
......@@ -987,14 +987,6 @@ return [
// String (exclude).Enter lines of default Page TSconfig.
'defaultPermissions' => [],
'defaultUC' => [],
// The control of file extensions goes in two categories. Webspace and Ftpspace. Webspace is folders accessible from a webbrowser (below TYPO3_DOCUMENT_ROOT) and ftpspace is everything else.
// The control is done like this: If an extension matches 'allow' then the check returns TRUE. If not and an extension matches 'deny' then the check return FALSE. If no match at all, returns TRUE.
// You list extensions comma-separated. If the value is a '*' every extension is matched
// If no file extension, TRUE is returned if 'allow' is '*', FALSE if 'deny' is '*' and TRUE if none of these matches
// This configuration below accepts everything in ftpspace and everything in webspace except php3,php4,php5 or php files
'fileExtensions' => [
'webspace' => ['allow' => '', 'deny' => PHP_EXTENSIONS_DEFAULT]
],
'customPermOptions' => [], // Array with sets of custom permission options. Syntax is; 'key' => array('header' => 'header string, language split', 'items' => array('key' => array('label, language split','icon reference', 'Description text, language split'))). Keys cannot contain ":|," characters.
'fileDenyPattern' => FILE_DENY_PATTERN_DEFAULT,
'interfaces' => 'backend',
......
......@@ -115,7 +115,7 @@ SYS:
description: 'Add the URL where you explain the extend of the warranty you provide. This URL is displayed in the login dialog as the place where people can learn more about the conditions of your warranty. Must be set (more than 10 chars) in addition with the ''loginCopyrightWarrantyProvider'' message.'
textfile_ext:
type: text
description: 'Text file extensions. Those that can be edited. Executable PHP files may not be editable in webspace if disallowed!'
description: 'Text file extensions. Those that can be edited. Executable PHP files may not be editable if disallowed!'
mediafile_ext:
type: text
description: 'Commalist of file extensions perceived as media files by TYPO3. Lowercase and no spaces between!'
......@@ -308,7 +308,7 @@ BE:
description: 'If set, make a loose comparison ('''' equals 0) when validating record values after saving in DataHandler.'
fileDenyPattern:
type: text
description: 'A perl-compatible regular expression (without delimiters!) that - if it matches a filename - will deny the file upload/rename or whatever in the webspace. For security reasons, files with multiple extensions have to be denied on an Apache environment with mod_alias, if the filename contains a valid php handler in an arbitrary position. Also, ".htaccess" files have to be denied. Matching is done case-insensitive. Default value is stored in constant FILE_DENY_PATTERN_DEFAULT'
description: 'A perl-compatible regular expression (without delimiters!) that - if it matches a filename - will deny the file upload/rename or whatever. For security reasons, files with multiple extensions have to be denied on an Apache environment with mod_alias, if the filename contains a valid php handler in an arbitrary position. Also, ".htaccess" files have to be denied. Matching is done case-insensitive. Default value is stored in constant FILE_DENY_PATTERN_DEFAULT'
interfaces:
type: text
description: 'This determines which interface options is available in the login prompt and in which order (All options: ",backend,frontend")'
......
.. include:: ../../Includes.txt
==========================================================================
Breaking: #83081 - Removed configuration option BE/fileExtensions/webspace
==========================================================================
See :issue:`83081`
Description
===========
The file extensions which are allowed to be uploaded, which were previously available under
:php:``$TYPO3_CONF_VARS[BE][fileExtensions][webspace]`` called ``allow`` and ``deny`` have been removed.
Impact
======
* Using the old configuration option names will result in a PHP notice.
* In Import/Export when uploading files :php:``fileDenyPattern`` is used instead of ``allow`` and ``deny``
* When using :php:``BasicFileUtility`` directly, only :php:``fileDenyPattern`` is used
Affected Installations
======================
TYPO3 installations which have set this option in `LocalConfiguration.php` previously, or extensions which
still use the old configuration option names.
Migration
=========
Use :php:``fileDenyPattern`` which is used consistently throughout the core to deny specific file extensions.
.. index:: LocalConfiguration, PartiallyScanned
\ No newline at end of file
......@@ -151,57 +151,6 @@ class ResourceStorageTest extends BaseTestCase
return $driver;
}
/**
* @return array
*/
public function fileExtensionPermissionDataProvider()
{
return [
'Permissions evaluated, extension not in allowed list' => [
'fileName' => 'foo.txt',
'configuration' => ['allow' => 'jpg'],
'evaluatePermissions' => true,
'isAllowed' => true,
],
'Permissions evaluated, extension in deny list' => [
'fileName' => 'foo.txt',
'configuration' => ['deny' => 'txt'],
'evaluatePermissions' => true,
'isAllowed' => false,
],
'Permissions not evaluated, extension is php' => [
'fileName' => 'foo.php',
'configuration' => [],
'evaluatePermissions' => false,
'isAllowed' => false,
],
'Permissions evaluated, extension is php' => [
'fileName' => 'foo.php',
// It is not possible to allow php file extension through configuration
'configuration' => ['allow' => 'php'],
'evaluatePermissions' => true,
'isAllowed' => false,
],
];
}
/**
* @param string $fileName
* @param array $configuration
* @param bool $evaluatePermissions
* @param bool $isAllowed
* @test
* @dataProvider fileExtensionPermissionDataProvider
*/
public function fileExtensionPermissionIsWorkingCorrectly($fileName, array $configuration, $evaluatePermissions, $isAllowed)
{
$GLOBALS['TYPO3_CONF_VARS']['BE']['fileExtensions']['webspace'] = $configuration;
$driverMock = $this->getMockForAbstractClass(AbstractDriver::class, [], '', false);
$subject = $this->getAccessibleMock(ResourceStorage::class, ['dummy'], [$driverMock, []]);
$subject->_set('evaluatePermissions', $evaluatePermissions);
$this->assertSame($isAllowed, $subject->_call('checkFileExtensionPermission', $fileName));
}
/**
* @return array
*/
......
......@@ -120,6 +120,8 @@ class SilentConfigurationUpgradeService
'GFX/png_truecolor',
// #82803
'FE/content_doktypes',
// #83081
'BE/fileExtensions'
];
public function __construct(ConfigurationManager $configurationManager = null)
......
......@@ -124,4 +124,14 @@ return [
'Deprecation-82438-DeprecationMethods.rst',
],
],
'$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'fileExtensions\'][\'webspace\'][\'allow\']' => [
'restFiles' => [
'Breaking-83081-RemovedConfigurationOptionBeFileExtensionsWebspace.rst',
],
],
'$GLOBALS[\'TYPO3_CONF_VARS\'][\'BE\'][\'fileExtensions\'][\'webspace\'][\'deny\']' => [
'restFiles' => [
'Breaking-83081-RemovedConfigurationOptionBeFileExtensionsWebspace.rst',
],
],
];
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment