Bug #31278: Missing quoting in t3lib_extFileFunc - TYPO3 Core - TYPO3 Forge

Actions

Bug #31278

closed

Missing quoting in t3lib_extFileFunc

Added by Andreas Wolf about 13 years ago. Updated about 6 years ago.

Status:

Closed

Priority:

Should have

Assignee:

-

Category:

-

Target version:

-

Start date:

2011-10-25

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

4.6

PHP Version:

Tags:

scheduled

Complexity:

Is Regression:

Sprint Focus:

Description

During a FAL code sprint, we discovered that t3lib_extFileFunc does not escape file names when using them for exec calls. This could possibly lead to unwanted side-effects.

See e.g. this snippet from func_copy():

if ($this->PHPFileFunctions) {
    copy($theFile, $theDestFile);
} else {
    $cmd = 'cp "' . $theFile . '" "' . $theDestFile . '"';
    t3lib_utility_Command::exec($cmd);
}

$theFile and $theDestFile are not escaped anywhere; from what I read in t3lib_utility_Command::imageMagickCommand(), I guess we would have to use escapeshellarg() here.

Files

31278.diff (2.31 KB) 31278.diff

Andreas Wolf, 2011-10-25 13:43

Actions

#1

Updated by Andreas Wolf about 13 years ago

File 31278.diff 31278.diff added

I created a patch that adds escapeshellarg() to all arguments. See attached file.

Actions

#2

Updated by Dmitry Dulepov about 13 years ago

Status changed from New to Under Review

http://review.typo3.org/6779

Actions

#3

Updated by Helmut Hummel almost 13 years ago

Tags set to scheduled

Actions

#4

Updated by Gerrit Code Review almost 13 years ago

Patch set 2 for branch master has been pushed to the review server.
It is available at http://review.typo3.org/6779

Actions

#5

Updated by Steffen Gebert almost 13 years ago

How can this be exploited? Only in custom PHP code?

Actions

#6

Updated by Dmitry Dulepov over 12 years ago

Status changed from Under Review to Resolved
% Done changed from 0 to 100

Applied in changeset a1cd99f5394c3774902f260a8f6714441f958204.

Actions

#7

Updated by Gerrit Code Review over 12 years ago

Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_4-7 has been pushed to the review server.
It is available at http://review.typo3.org/9484

Actions

#8

Updated by Dmitry Dulepov over 12 years ago

Status changed from Under Review to Resolved

Applied in changeset f145fd32922de9d4bbc6a887b319316d8c4daff0.

Actions

#9

Updated by Gerrit Code Review over 12 years ago

Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/12855

Actions

#10

Updated by Gerrit Code Review over 12 years ago

Patch set 1 for branch TYPO3_4-6 has been pushed to the review server.
It is available at http://review.typo3.org/12856

Actions

#11

Updated by Helmut Hummel over 12 years ago

Project changed from 1716 to TYPO3 Core

Move to public tracker again

Actions

#12

Updated by Dmitry Dulepov over 12 years ago

Status changed from Under Review to Resolved

Applied in changeset 689bb9d95693a5871e0442ed9703b0506a292d01.

Actions

#13

Updated by Gerrit Code Review over 12 years ago

Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_4-5 has been pushed to the review server.
It is available at http://review.typo3.org/13674

Actions

#14

Updated by Helmut Hummel over 12 years ago

Status changed from Under Review to Resolved

Actions

#15

Updated by Benni Mack about 6 years ago

Status changed from Resolved to Closed

Actions

Also available in: Atom PDF