Bug #31278
Missing quoting in t3lib_extFileFunc
| Status: | Resolved | Start date: | 2011-10-25 | |
|---|---|---|---|---|
| Priority: | Should have | Due date: | ||
| Assignee: | - | % Done: | 100% |
|
| Category: | - | |||
| Target version: | - | |||
| TYPO3 Version: | 4.6 | Complexity: | ||
| PHP Version: | ||||
| Votes: | 0 |
Description
During a FAL code sprint, we discovered that t3lib_extFileFunc does not escape file names when using them for exec calls. This could possibly lead to unwanted side-effects.
See e.g. this snippet from func_copy():
1 if ($this->PHPFileFunctions) {
2 copy($theFile, $theDestFile);
3 } else {
4 $cmd = 'cp "' . $theFile . '" "' . $theDestFile . '"';
5 t3lib_utility_Command::exec($cmd);
6 }
$theFile and $theDestFile are not escaped anywhere; from what I read in t3lib_utility_Command::imageMagickCommand(), I guess we would have to use escapeshellarg() here.
Associated revisions
[BUGFIX] Shell command arguments are not escaped
Shell command arguments should be escaped with escapeshellarg()
PHP function, which adds single quotes around the argument and
escapes all single quotes inside the argument.
Change-Id: I4fb655e6496e1d0f09d6386831daa8d2f7a95351
Resolves: #31278
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/6779
Reviewed-by: Oliver Hader
Reviewed-by: Tolleiv Nietsch
Tested-by: Tolleiv Nietsch
Reviewed-by: Andy Grunwald
Reviewed-by: Wouter Wolters
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
[BUGFIX] Shell command arguments are not escaped
Shell command arguments should be escaped with escapeshellarg()
PHP function, which adds single quotes around the argument and
escapes all single quotes inside the argument.
Change-Id: I4fb655e6496e1d0f09d6386831daa8d2f7a95351
Resolves: #31278
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/9484
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
[BUGFIX] Shell command arguments are not escaped
Shell command arguments should be escaped with
escapeshellarg() PHP function, which adds single quotes
around the argument and escapes all single quotes inside the
argument.
Change-Id: If6f0dd507828510893d11ebea5da88748dc7cd0c
Resolves: #31278
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/12855
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
[BUGFIX] Shell command arguments are not escaped
Shell command arguments should be escaped with escapeshellarg()
PHP function, which adds single quotes around the argument and
escapes all single quotes inside the argument.
Change-Id: I195c159048a69535b6f863f9f598613be49a0db7
Resolves: #31278
Releases: 4.7, 4.6, 4.5
Reviewed-on: http://review.typo3.org/12856
Reviewed-by: Helmut Hummel
Tested-by: Helmut Hummel
History
Updated by Andreas Wolf over 1 year ago
- File 31278.diff added
- Has patch changed from No to Yes
- Branch set to v4
I created a patch that adds escapeshellarg() to all arguments. See attached file.
Updated by Dmitry Dulepov over 1 year ago
- Status changed from New to Under Review
Updated by Helmut Hummel over 1 year ago
- Tags set to scheduled
Updated by Gerrit Code Review over 1 year ago
Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6779
Updated by Steffen Gebert over 1 year ago
How can this be exploited? Only in custom PHP code?
Updated by Dmitry Dulepov about 1 year ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a1cd99f5394c3774902f260a8f6714441f958204.
Updated by Gerrit Code Review about 1 year ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at http://review.typo3.org/9484
Updated by Dmitry Dulepov about 1 year ago
- Status changed from Under Review to Resolved
Applied in changeset f145fd32922de9d4bbc6a887b319316d8c4daff0.
Updated by Gerrit Code Review 10 months ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/12855
Updated by Gerrit Code Review 10 months ago
Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/12856
Updated by Helmut Hummel 10 months ago
- Project changed from Core Security to Core
Move to public tracker again
Updated by Dmitry Dulepov 10 months ago
- Status changed from Under Review to Resolved
Applied in changeset 689bb9d95693a5871e0442ed9703b0506a292d01.
Updated by Gerrit Code Review 9 months ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/13674
Updated by Helmut Hummel 9 months ago
- Status changed from Under Review to Resolved