TYPO3 Core

When a Youtube Video is imported by URL for example with the text/media element the video might throw an exception when displayed in the frontend. The error message can be like this:

You are not allowed to access that file: "Einfach_Energie_sparen_–_Tipp_1_–_Richtig_Heizen_und_Lüften.youtube"

This maybe caused by inproper sanitizing of the filename during the import. When the video is imported the title of the video might be retrieved (@see AbstractOEmbedHelper::transformMediaIdToFile()) and used as part of the filename. The title can contain characters like "–". When creating the file LocalDriver:.addFile() is used where the sanitization of the later filename takes place. Inside of LocalDriver::sanitizeFileName() it's checked if $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] is true. If not than control characters like "–" are replaced otherwise they are left untouched as they should not cause problems. When the file get's retrieved in the frontend the permissions to read that file get checked. During this check in ResourceStorage::checkFileActionPermission() the file extension is checked with GeneralUtility::verifyFilenameAgainstDenyPattern(). At this point control characters like "–" are not allowed which leads to the exception.

A workaround could be to set GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] to false as the filename won't contain control characters in that case. I think a better solution would be to replace control characters during the import or change the behaiviour of GeneralUtility::verifyFilenameAgainstDenyPattern

Example video with control characters in the filename: https://www.youtube.com/watch?v=SlXSjcWp8hE