Bug #54504: Access to files in filelist - TYPO3 Core - TYPO3 Forge

Custom queries

Accessibility
Easy tasks
Forge Triage
JavaScript issues
JavaScript Issues (w/o Epics/Stories)
My open issues
No feedback within 90 days
Open Bugs
Open issues of 10
Recently modified
Regressions
Stabilization Issues
Usability or UX

Actions

Copy link

Bug #54504

closed

Access to files in filelist

Added by Mike Streibl almost 11 years ago. Updated about 7 years ago.

Status:

Closed

Priority:

Should have

Assignee:

Category:

File Abstraction Layer (FAL)

Target version:

7.1 (Cleanup)

Start date:

2013-12-19

Due date:

% Done:

100%

Estimated time:

TYPO3 Version:

6.1

PHP Version:

Tags:

Complexity:

Is Regression:

Sprint Focus:

Description

I have no access to files in the filelist, when in the tca of the extension the setting "allowed" is "*".
I have to set it to real file-extensions.

This doesn´t work:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = "*";

This works:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'];

History
Notes
Property changes
Associated revisions

Actions

Copy link

Updated by Mathias Schreiber almost 10 years ago

Target version set to 7.1 (Cleanup)
Sprint Focus set to On Location Sprint

Actions

Copy link

Updated by Thomas Deuling almost 10 years ago

The reason why '*' doesn't work is, that '*' is only allowed for type=db and not for typo=file.

See documentation:
http://docs.typo3.org/typo3cms/TCAReference/Reference/Columns/Group/Index.html#allowed

Actions

Copy link

Updated by Sascha Egerer almost 10 years ago

Status changed from New to Needs Feedback

I think the disallowed part in the documentation is wrong as there is explained that "*" should be used if you want to allow all. But all file extensions should never be allowed as this also describes which kind of file you can upload. And setting this to * will allow you to also upload php files which is a security issue.
So i would say we have to adjust the documentation and reject this ticket.

Any other comments?

Actions

Copy link

Updated by Sascha Egerer almost 10 years ago

Just checked the code and it looks like i was wrong. File extensions like php will be excluded by the global configuration $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] which has higher priority.
We'll dig a bit deeper into this.
There are still some deprecated functions used in the core.

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Status changed from Needs Feedback to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

Actions

Copy link

Updated by Sascha Egerer almost 10 years ago

It looks like the '*' should really be allowed for files. So the documentation is wrong here as there are several checks in code for this already. I've fixed the missing part.

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392

Actions

Copy link

Updated by Gerrit Code Review almost 10 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36439

Actions

Copy link

#10