Commit 7c7ab15a authored by Oliver Hader's avatar Oliver Hader
Browse files

Fixed bug #15254: Extension Manager allows to edit arbitrary files if noEdit...

Fixed bug #15254: Extension Manager allows to edit arbitrary files if noEdit flag is not set (thanks to Helmut Hummel)

git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-1@8386 709f56b5-9817-0410-a4d7-c38de5d9e867
parent 25d0398a
......@@ -13,6 +13,7 @@
* Fixed bug #13989: Mitigate PHP's RNG vulnerability (thanks to Marcus Krause and Helmut Hummel)
* Fixed bug #12739: XSS in shortcuts (thanks to Francois Suter and Georg Ringer)
* Fixed bug #13885: XSS in indexed search BE module (thanks to Benjamin Mack)
* Fixed bug #15254: Extension Manager allows to edit arbitrary files if noEdit flag is not set (thanks to Helmut Hummel)
2010-05-17 Oliver Hader <oliver@typo3.org>
......
......@@ -1960,7 +1960,7 @@ EXTENSION KEYS:
// Editing extension file:
$editFile = $this->CMD['editFile'];
if (t3lib_div::isFirstPartOfStr($editFile,PATH_site) && t3lib_div::isFirstPartOfStr($editFile,$absPath)) { // Paranoia...
if (t3lib_div::isAllowedAbsPath($editFile) && t3lib_div::isFirstPartOfStr($editFile, $absPath)) {
$fI = t3lib_div::split_fileref($editFile);
if (@is_file($editFile) && t3lib_div::inList($this->editTextExtensions,($fI['fileext']?$fI['fileext']:$fI['filebody']))) {
......@@ -2016,7 +2016,7 @@ EXTENSION KEYS:
$theOutput.=$this->doc->section('Filesize exceeded '.$this->kbMax.' Kbytes','Files larger than '.$this->kbMax.' KBytes are not allowed to be edited.');
}
}
} else die('Fatal Edit error: File "'.$editFile.'" was not inside the correct path of the TYPO3 Extension!');
} else die('Fatal Edit error: File "' . htmlspecialchars($editFile) . '" was not inside the correct path of the TYPO3 Extension!');
} else {
// MAIN:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment