-
In order to harden CommandUtility API arguments used for invoking system commands are escaped in addition. Since no insecure usages have been identified in the TYPO3 core nor in public third party extensions, this change is handled using a public workflow. | In order to evaluate whether third party extensions open a | potential attack vector, usages of CommandUtility::checkCommand(), | CommandUtility::getCommand() and the registration of custom services | ($GLOBALS[‘T3_SERVICES’]) concerning their ‘exec’ argument have to | be checked. Resolves: #87450 Releases: master, 9.5, 8.7 Security-Advisory: TYPO3-PSA-2019-001 Change-Id: If4f2a63045ac7b2473881992f9731a635a768d37 Reviewed-on: https://review.typo3.org/59448 Tested-by: TYPO3com <noreply@typo3.com> Reviewed-by: Frank Naegler <frank.naegler@typo3.org> Tested-by: Frank Naegler <frank.naegler@typo3.org> Reviewed-by: Georg Ringer <georg.ringer@gmail.com> Tested-by: Georg Ringer <georg.ringer@gmail.com> Reviewed-by: Christian Kuhn <lolli@schwarzbu.ch> Tested-by: Christian Kuhn <lolli@schwarzbu.ch> Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de> Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
71c15ee8