Commit 66b75cec authored by Committed by Oliver HaderBrowse files
[SECURITY] Mitigate directly accessible file upload in form framework
File handling implementation in `UploadedFileReferenceConverter` of `ext:form` creates files in `/fileadmin/user_uploads/` whenever some Extbase controller is (implicitly) dealing with `FileReference` models, unless particular implementations assign specific type converters or register type converters having a higher processing priority. As a side-effect this could lead to by-passing mime-type validators, allowing to plant cross-site scripting and other malicious binaries to public accessible `/fileadmin/` storage. PHP files and similar are blocked since `fileDenyPattern` rule is active in any case. This change makes the usage of `UploadedFileReferenceConverter` more specific in the scope of processing contact forms with `ext:form` * use random folder names for files, `.../form_abcde12345/image.png` * removes `UploadedFileReferenceConverter` from being used implicitly by other Extbase implementations dealing with `FileReference` models `PseudoFileReference` has been introduced to limit properties being serialized to `uid` (in case it's a real file reference) or `uidLocal` (in case it's a transient reference, pointing to a file). Direct URLs to uploaded files are substituted by `fileDump` eID script now, enforcing corresponding FAL mime-type and denying the web server from guessing/interpreting a different mime-type based on file suffix. A unique form `__session` value has been introduce, serving as seed to derive for instance mentioned folder names for uploaded files. In addition to that, form `__state` is only parsed when having been submitted via expected `FormFrontendController::performAction`. Resolves: #92136 Releases: master, 11.1, 10.4, 9.5 Change-Id: I7c33803443a68d6b3c895ec74da802a70bd390c1 Security-Bulletin: TYPO3-CORE-SA-2021-002 Security-References: CVE-2021-21355 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/68413 Tested-by: Oliver Hader <email@example.com> Reviewed-by: Oliver Hader <firstname.lastname@example.org>
This diff is collapsed.
typo3/sysext/form/Classes/Domain/Runtime/FormRuntime/Lifecycle/AfterFormStateInitializedInterface.php 0 → 100644