• Torben Hansen's avatar
    [SECURITY] Restrict export functionality to allowed users · 7447a3d1
    Torben Hansen authored and Oliver Hader's avatar Oliver Hader committed
    The import functionality of the import/export module is already
    restricted to admin users or users, who explicitly have access through
    the user TSConfig setting "options.impexp.enableImportForNonAdminUser".
    
    The export functionality has the following security drawbacks:
    
    * Export for editors is not limited on field level
    * The "Save to filename" functionality saves to a shared folder, which
      other editors with different access rights may have access to.
    
    Both issues are not easy to resolve and also the target audience for
    the Import/Export functionality are mainly TYPO3 admins.
    
    Therefore, now also the export functionality is restricted to TYPO3
    admin users and to users, who explicitly have access through the new
    user TSConfig setting "options.impexp.enableExportForNonAdminUser".
    
    Additionally, the contents of the temporary "importexport" folder in
    file storages is now only visible to users who have access to the
    export functionality.
    
    In general, it is recommended to only install the Import/Export
    extension when the functionality is required.
    
    Resolves: #94951
    Releases: main, 11.5, 10.4
    Change-Id: Iae020baf051aeec0613366687aa8ebcbf9b3d8b2
    Security-Bulletin: TYPO3-CORE-SA-2022-001
    Security-References: CVE-2022-31046
    Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/74902
    
    Tested-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    Reviewed-by: Oliver Hader's avatarOliver Hader <oliver.hader@typo3.org>
    7447a3d1