Bug #54504

Access to files in filelist

Added by Mike Streibl over 8 years ago. Updated over 4 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
Start date:
2013-12-19
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.1
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

I have no access to files in the filelist, when in the tca of the extension the setting "allowed" is "*".
I have to set it to real file-extensions.

This doesn´t work:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = "*";

This works:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'];

#1

Updated by Mathias Schreiber over 7 years ago

  • Target version set to 7.1 (Cleanup)
  • Sprint Focus set to On Location Sprint
#2

Updated by Thomas Deuling over 7 years ago

The reason why '*' doesn't work is, that '*' is only allowed for type=db and not for typo=file.

See documentation:
http://docs.typo3.org/typo3cms/TCAReference/Reference/Columns/Group/Index.html#allowed

#3

Updated by Sascha Egerer over 7 years ago

  • Status changed from New to Needs Feedback

I think the disallowed part in the documentation is wrong as there is explained that "*" should be used if you want to allow all. But all file extensions should never be allowed as this also describes which kind of file you can upload. And setting this to * will allow you to also upload php files which is a security issue.
So i would say we have to adjust the documentation and reject this ticket.

Any other comments?

#4

Updated by Sascha Egerer over 7 years ago

Just checked the code and it looks like i was wrong. File extensions like php will be excluded by the global configuration $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] which has higher priority.
We'll dig a bit deeper into this.
There are still some deprecated functions used in the core.

#5

Updated by Gerrit Code Review over 7 years ago

  • Status changed from Needs Feedback to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

#6

Updated by Sascha Egerer over 7 years ago

It looks like the '*' should really be allowed for files. So the documentation is wrong here as there are several checks in code for this already. I've fixed the missing part.

#7

Updated by Gerrit Code Review over 7 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

#8

Updated by Gerrit Code Review over 7 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

#9

Updated by Gerrit Code Review over 7 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36439

#10

Updated by Anonymous over 7 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#11

Updated by Anja Leichsenring over 6 years ago

  • Sprint Focus deleted (On Location Sprint)
#12

Updated by Riccardo De Contardi over 4 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF