Bug #54504
closed
Access to files in filelist
100%
Description
I have no access to files in the filelist, when in the tca of the extension the setting "allowed" is "*".
I have to set it to real file-extensions.
This doesn´t work:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = "*";
This works:
$TCA['tx_drevo_domain_model_image']['columns']['file']['config']['allowed'] = $GLOBALS['TYPO3_CONF_VARS']['GFX']['imagefile_ext'];
Updated by Mathias Schreiber almost 10 years ago
- Target version set to 7.1 (Cleanup)
- Sprint Focus set to On Location Sprint
Updated by Thomas Deuling almost 10 years ago
The reason why '*' doesn't work is, that '*' is only allowed for type=db and not for typo=file.
See documentation:
http://docs.typo3.org/typo3cms/TCAReference/Reference/Columns/Group/Index.html#allowed
Updated by Sascha Egerer almost 10 years ago
- Status changed from New to Needs Feedback
I think the disallowed part in the documentation is wrong as there is explained that "*" should be used if you want to allow all. But all file extensions should never be allowed as this also describes which kind of file you can upload. And setting this to * will allow you to also upload php files which is a security issue.
So i would say we have to adjust the documentation and reject this ticket.
Any other comments?
Updated by Sascha Egerer almost 10 years ago
Just checked the code and it looks like i was wrong. File extensions like php will be excluded by the global configuration $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] which has higher priority.
We'll dig a bit deeper into this.
There are still some deprecated functions used in the core.
Updated by Gerrit Code Review almost 10 years ago
- Status changed from Needs Feedback to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392
Updated by Sascha Egerer almost 10 years ago
It looks like the '*' should really be allowed for files. So the documentation is wrong here as there are several checks in code for this already. I've fixed the missing part.
Updated by Gerrit Code Review almost 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392
Updated by Gerrit Code Review almost 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36392
Updated by Gerrit Code Review almost 10 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/36439
Updated by Anonymous almost 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 16cce4343ab9b8f566b3f6d34208a90406ba4c27.
Updated by Anja Leichsenring almost 9 years ago
- Sprint Focus deleted (
On Location Sprint)
Updated by Riccardo De Contardi about 7 years ago
- Status changed from Resolved to Closed