Skip to content
  • Oliver Hader's avatar
    [SECURITY] Mitigate directly accessible file upload in form framework · 66b75cec
    Oliver Hader authored and Oliver Hader's avatar Oliver Hader committed
    File handling implementation in `UploadedFileReferenceConverter` of
    `ext:form` creates files in `/fileadmin/user_uploads/` whenever some
    Extbase controller is (implicitly) dealing with `FileReference` models,
    unless particular implementations assign specific type converters or
    register type converters having a higher processing priority.
    As a side-effect this could lead to by-passing mime-type validators,
    allowing to plant cross-site scripting and other malicious binaries
    to public accessible `/fileadmin/` storage. PHP files and similar are
    blocked since `fileDenyPattern` rule is active in any case.
    This change makes the usage of `UploadedFileReferenceConverter` more
    specific in the scope of processing contact forms with `ext:form`
    * use random folder names for files, `.../form_abcde12345/image.png`
    * removes `UploadedFileReferenceConverter` from being used implicitly
      by other Extbase implementations dealing with `FileReference` models
    `PseudoFileReference` has been introduced to limit properties being
    serialized to `uid` (in case it's a real file reference) or `uidLocal`
    (in case it's a transient reference, pointing to a file).
    Direct URLs to uploaded files are substituted by `fileDump` eID script
    now, enforcing corresponding FAL mime-type and denying the web server
    from guessing/interpreting a different mime-type based on file suffix.
    A unique form `__session` value has been introduce, serving as seed
    to derive for instance mentioned folder names for uploaded files. In
    addition to that, form `__state` is only parsed when having been
    submitted via expected `FormFrontendController::performAction`.
    Resolves: #92136
    Releases: master, 11.1, 10.4, 9.5
    Change-Id: I7c33803443a68d6b3c895ec74da802a70bd390c1
    Security-Bulletin: TYPO3-CORE-SA-2021-002
    Security-References: CVE-2021-21355
    Tested-by: default avatarOliver Hader <>
    Reviewed-by: default avatarOliver Hader <>
Analyzing file…