Actions
Bug #58367
closed
['BE']['fileExtensions']['webspace']['allow'] not working in 6.2
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2014-04-30
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
Description
In TYPO3 4.7
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '\\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$'; $TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'pdf,doc,docx,xls,xlsx,ppt,pptx,pps,ppsx,zip,jpg,png,mp3';
was set in localconf.php to allow only certain file types in the flash uploader. HTML or JS files couldn't be uploaded with this configuration, but could still linked once they were in the file system (mostly imported by admins via FTP).
This also made filetypes easier to manage because you only had to list the few allowed filetypes, instead of listing the myriads of unwanted filetypes in fileDenyPattern.
In 6.2 this is migrated to LocalConfiguration.php, but only
['BE']['fileDenyPattern']seems to be working. Now I can upload html or files without an error.
Is this a bug, or was this feature deprecated without my knowledge?
By the way, fileExtensions isn't integrated in the install tool in any TYPO3 version. Maybe it should be, if this is still a feature?
Updated by Palian Schulz about 10 years ago
I have the same Problem, would be great if this would work in 6.2.
Updated by Alexander Opitz about 10 years ago
- Category set to File Abstraction Layer (FAL)
- Status changed from New to Accepted
Updated by Andreas Kießling about 10 years ago
I'm suffering from the same bug. The check assureFileAddPermissions in ResourceStorage.php (around line 850) tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception. Currently, you need to set allow to * to make this work
Updated by Alexander Opitz about 10 years ago
The problem is TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions():850 the $localFilePath (which is the tempFile) is checked against the file (Deny/Allow) patterns.
Fixing this with using an empty string in assureFileUploadPermissions (like createFile() do) does not help, couse the calling function addUploadedFile() later calls addFile which again calls assureFileAddPermissions() with the temp file as $localFilePath.
So the question is should the test of $localFilePath should be eliminated completely? In our PoV we only need securing file names of files which we save. A security test for the content of the files isn't implemented, so IMHO it doesn't matter if $localFilePath is inside the allow/deny pattern or not.
Updated by Frans Saris about 10 years ago
Could you maybe add a stacktrace of all that happens until this check? (just add "throw new \Exception();" in the ResourceStorage.
I'm interested to know why/and from where the temp filename is used as this function imo isn't supposed to handle temporary files.
Updated by Helmut Hummel about 10 years ago
Andreas Kiessling wrote:
I'm suffering from the same bug.
What exactly is the bug you encounter?
The reporter misses the (silently dropped) possibility to add file extension white list constraints by ['webspace']['allow']
What you describe, seems to be a different issue.
tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception.
This is not true for the default file deny pattern. What pattern do you use?
Currently, you need to set allow to * to make this work
Most likely not a good idea to do so.
Updated by Alexander Opitz about 10 years ago
#0 TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions(, TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
<data>
<sheet index="sDEF">
<language index="lDEF">
<field index="basePath">
<value index="vDEF">fileadmin/</value>
</field>
<field index="pathType">
<value index="vDEF">relative</value>
</field>
<field index="caseSensitive">
<value index="vDEF">1</value>
</field>
</language>
</sheet>
</data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/ResourceStorage.php:890]
#1 TYPO3\CMS\Core\Resource\ResourceStorage->assureFileUploadPermissions(/tmp/phppLHCKS, TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
<data>
<sheet index="sDEF">
<language index="lDEF">
<field index="basePath">
<value index="vDEF">fileadmin/</value>
</field>
<field index="pathType">
<value index="vDEF">relative</value>
</field>
<field index="caseSensitive">
<value index="vDEF">1</value>
</field>
</language>
</sheet>
</data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg, 10845) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/ResourceStorage.php:1730]
#2 TYPO3\CMS\Core\Resource\ResourceStorage->addUploadedFile(Array ([name] => index2.jpeg,[type] => image/jpeg,[tmp_name] => /tmp/phppLHCKS,[size] => 10845), TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
<data>
<sheet index="sDEF">
<language index="lDEF">
<field index="basePath">
<value index="vDEF">fileadmin/</value>
</field>
<field index="pathType">
<value index="vDEF">relative</value>
</field>
<field index="caseSensitive">
<value index="vDEF">1</value>
</field>
</language>
</sheet>
</data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg, replace) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/Folder.php:258]
#3 TYPO3\CMS\Core\Resource\Folder->addUploadedFile(Array ([name] => index2.jpeg,[type] => image/jpeg,[tmp_name] => /tmp/phppLHCKS,[size] => 10845), replace) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php:928]
#4 TYPO3\CMS\Core\Utility\File\ExtendedFileUtility->func_upload(Array ([target] => 1:/,[data] => 1)) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php:257]
#5 TYPO3\CMS\Core\Utility\File\ExtendedFileUtility->processData() called at [/typo3-master/typo3-src/typo3/sysext/backend/Classes/Controller/File/FileController.php:121]
#6 TYPO3\CMS\Backend\Controller\File\FileController->main() called at [/typo3-master/typo3-src/typo3/sysext/backend/Classes/Controller/File/FileController.php:152]
#7 TYPO3\CMS\Backend\Controller\File\FileController->processAjaxRequest(Array (), TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] =>
<script type="text/javascript">
/*<![CDATA[*/
response = |;
/*]]>*/
</script>
))
#8 call_user_func_array(Array ([0] => TYPO3\CMS\Backend\Controller\File\FileController Object ([] => Array ([upload] => Array ([1] => Array ([target] => 1:/,[data] => 1))),[] => ,[] => 1,[] => ,[] => ,[] => TYPO3\CMS\Core\Utility\File\ExtendedFileUtility Object ([unzipPath] => ,[dontCheckForUnique] => 1,[actionPerms] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[recyclerFN] => _recycler_,[useRecycler] => 1,[internalUploadMap] => Array (),[lastError] => ,[] => Array (),[] => Array ([upload] => Array ([1] => Array ([target] => 1:/,[data] => 1))),[] => TYPO3\CMS\Core\Resource\ResourceFactory Object ([] => Array ([1] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
<data>
<sheet index="sDEF">
<language index="lDEF">
<field index="basePath">
<value index="vDEF">fileadmin/</value>
</field>
<field index="pathType">
<value index="vDEF">relative</value>
</field>
<field index="caseSensitive">
<value index="vDEF">1</value>
</field>
</language>
</sheet>
</data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders)))),[] => Array (),[] => Array (),[] => Array (),[] => ,[] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher Object ([] => 1,[] => TYPO3\CMS\Extbase\Object\ObjectManager Object ([] => TYPO3\CMS\Extbase\Object\Container\Container Object ([] => TYPO3\CMS\Extbase\Object\Container\ClassInfoCache Object ([] => Array ([ac1fb600d327a78112d7957f63c9cb13] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility,[] => Array (),[] => Array (),[] => Array ([objectManager] => TYPO3\CMS\Extbase\Object\ObjectManager),[] => 1,[] => ),[48ee39591354d5b031b745485de55720] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extbase\Object\ObjectManager,[] => Array (),[] => Array (),[] => Array (),[] => 1,[] => ),[5d58ff385d851c4649503e2a64ee158d] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Core\TypoScript\ConfigurationForm,[] => Array (),[] => Array (),[] => Array (),[] => ,[] => ),[f4161c7b5ff989cc5937476177f76d76] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher,[] => Array (),[] => Array (),[] => Array (),[] => 1,[] => 1),[f56378169db4df0a14757de6f6a254d7] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect,[] => Array ([0] => Array ([name] => backendUserAuthentication,[defaultValue] => )),[] => Array (),[] => Array (),[] => ,[] => )),[] => TYPO3\CMS\Core\Cache\Frontend\VariableFrontend Object ([] => ,[] => extbase_object,[] => TYPO3\CMS\Core\Cache\Backend\Typo3DatabaseBackend Object ([] => cf_extbase_object,[] => cf_extbase_object_tags,[] => ,[] => -1,[] => cf_extbase_object.identifier,[] => cf_extbase_object.expires,[] => 735034523,[] => cf_extbase_object.expires >= 1410875077,[] => cf_extbase_object.expires < 1410875077,[] => cf_extbase_object, cf_extbase_object_tags,[] => cf_extbase_object.identifier = cf_extbase_object_tags.identifier,[] => TYPO3\CMS\Core\Cache\Frontend\VariableFrontend Object ( *RECURSION*,[] => extbase_object,[] => production,[] => 0))),[] => Array ([TYPO3\CMS\Extbase\Persistence\QueryInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Query,[TYPO3\CMS\Extbase\Persistence\QueryResultInterface] => TYPO3\CMS\Extbase\Persistence\Generic\QueryResult,[TYPO3\CMS\Extbase\Persistence\PersistenceManagerInterface] => TYPO3\CMS\Extbase\Persistence\Generic\PersistenceManager,[TYPO3\CMS\Extbase\Persistence\Generic\Storage\BackendInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Storage\Typo3DbBackend,[TYPO3\CMS\Extbase\Persistence\Generic\QuerySettingsInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Typo3QuerySettings),[] => ,[] => Array ([TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility] => TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility Object ([] => TYPO3\CMS\Extbase\Object\ObjectManager Object ( *RECURSION*),[TYPO3\CMS\Extbase\Object\ObjectManager] => TYPO3\CMS\Extbase\Object\ObjectManager Object ( *RECURSION*,[TYPO3\CMS\Extbase\SignalSlot\Dispatcher] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher Object ( *RECURSION*),[] => Array ())),[] => Array ([TYPO3\CMS\Core\Resource\ResourceFactory] => Array ([postProcessStorage] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect,[method] => addUserPermissionsToStorage,[object] => ,[passSignalInformation] => 1))),[PackageManagement] => Array ([packagesMayHaveChanged] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => scanAvailablePackages,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Core\Resource\ResourceStorage] => Array ([postFileDelete] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Resource\Processing\FileDeletionAspect,[method] => removeFromRepository,[object] => ,[passSignalInformation] => 1)),[preFileAdd] => Array ([0] => Array ([class] => Causal\ImageAutoresize\Slots\FileUpload,[method] => autoResize,[object] => ,[passSignalInformation] => 1)),[postFileAdd] => Array ([0] => Array ([class] => Causal\ImageAutoresize\Slots\FileUpload,[method] => populateMetadata,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Core\Tree\TableConfiguration\TableConfiguration\DatabaseTreeDataProvider] => Array ([PostProcessTreeData] => Array ([0] => Array ([class] => TYPO3\CMS\Backend\Security\CategoryPermissionsAspect,[method] => addUserPermissionsToCategoryTreeData,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\Service\ExtensionManagementService] => Array ([willInstallExtensions] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => scanAvailablePackages,[object] => ,[passSignalInformation] => 1)),[hasInstalledExtensions] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => updatePackagesForClassLoader,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\Utility\InstallUtility] => Array ([tablesDefinitionIsBeingBuilt] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Cache\Cache,[method] => addCachingFrameworkRequiredDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Core\Category\CategoryRegistry,[method] => addExtensionCategoryDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Install\Service\SqlExpectedSchemaService] => Array ([tablesDefinitionIsBeingBuilt] => Array ([0] => Array ([class] => TYPO3\CMS\Install\Service\CachingFrameworkDatabaseSchemaService,[method] => addCachingFrameworkRequiredDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Core\Category\CategoryRegistry,[method] => addCategoryDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\ViewHelpers\ProcessAvailableActionsViewHelper] => Array ([processActions] => Array ([0] => Array ([class] => TYPO3\CMS\Documentation\Slots\ExtensionManager,[method] => processActions,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => Causal\ImageAutoresize\Slots\ExtensionManager,[method] => processActions,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Vidi\Controller\Backend\ContentController] => Array ([processContentData] => Array ([0] => Array ([class] => TYPO3\CMS\Vidi\Processor\ContentObjectProcessor,[method] => processRelations,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Vidi\Processor\MarkerProcessor,[method] => processMarkers,[object] => ,[passSignalInformation] => 1)),[postProcessMatcherObject] => Array ([0] => Array ([class] => TYPO3\CMS\Media\Security\FilePermissionsAspect,[method] => addFilePermissions,[object] => ,[passSignalInformation] => 1)))))),[getUniqueNamePrefix] => ,[maxNumber] => 99,[uniquePrecision] => 6,[maxInputNameLen] => 60,[tempFN] => _temp_,[f_ext] => Array ([webspace] => Array ([allow] => ,[deny] => php,php3,php4,php5,php6,phpsh,inc,phtml),[ftpspace] => Array ([allow] => *,[deny] => )),[mounts] => Array (),[webPath] => /home/opitz/webs/typo3-master,[isInit] => 1,[csConvObj] => ),[] => ),[1] => processAjaxRequest), Array ([0] => Array (),[1] => TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] =>
<script type="text/javascript">
/*<![CDATA[*/
response = |;
/*]]>*/
</script>
))) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/GeneralUtility.php:4232]
#9 TYPO3\CMS\Core\Utility\GeneralUtility::callUserFunction(TYPO3\CMS\Backend\Controller\File\FileController->processAjaxRequest, Array (), TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] =>
<script type="text/javascript">
/*<![CDATA[*/
response = |;
/*]]>*/
</script>
), , 1) called at [/typo3-master/typo3-src/typo3/ajax.php:80]
Updated by Helmut Hummel about 10 years ago
Alexander Opitz wrote:
The problem is TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions():850 the $localFilePath (which is the tempFile) is checked against the file (Deny/Allow) patterns.
Fixing this with using an empty string in assureFileUploadPermissions (like createFile() do) does not help, couse the calling function addUploadedFile() later calls addFile which again calls assureFileAddPermissions() with the temp file as $localFilePath.
Can you elaborate why exactly this is an issue?
So the question is should the test of $localFilePath should be eliminated completely? In our PoV we only need securing file names of files which we save. A security test for the content of the files isn't implemented, so IMHO it doesn't matter if $localFilePath is inside the allow/deny pattern or not.
This may be true. However I'd only remove this check if
a) we can proof there is no possibility to exploit it (which we probably can)
b) it actually causes problems (which I currently don't see)
Updated by Frans Saris about 10 years ago
After a quick check it looks to me that:
827 // Check for a valid file extension
828 if (!$this->checkFileExtensionPermission($targetFileName) || ($localFilePath && !$this->checkFileExtensionPermission($localFilePath))) {
829 throw new Exception\IllegalFileExtensionException('Extension of file name is not allowed in "' . $targetFileName . '"!', 1322120271);
830 }
Should be:
827 // Check for a valid file extension
828 if (!$this->checkFileExtensionPermission($targetFileName) || (!$targetFileName && !$localFilePath && !$this->checkFileExtensionPermission($localFilePath))) {
829 throw new Exception\IllegalFileExtensionException('Extension of file name is not allowed in "' . $targetFileName . '"!', 1322120271);
830 }
Updated by Andreas Kießling about 10 years ago
Helmut Hummel wrote:
Andreas Kiessling wrote:
I'm suffering from the same bug.
What exactly is the bug you encounter?
The reporter misses the (silently dropped) possibility to add file extension white list constraints by ['webspace']['allow']What you describe, seems to be a different issue.
Nope, same issue
tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception.
This is not true for the default file deny pattern. What pattern do you use?
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'png,gif,jpg,jpeg,pdf'; $TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '*';
Currently, you need to set allow to * to make this work
Most likely not a good idea to do so.
Yep, i totally agree ;)
Updated by Alexander Opitz about 10 years ago
@Helmut
Then please try the issue yourself.
- Configure for example
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'png,gif,jpg,jpeg,pdf'; $TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '*';
- Login as non admin user
- Try to upload a file.
Updated by Gerrit Code Review about 10 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32817
Updated by Alexander Opitz about 10 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a5905649de059f10cb2ebdbae75de5eca1952e55.
Updated by Gerrit Code Review about 10 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929
Updated by Gerrit Code Review about 10 years ago
Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929
Updated by Gerrit Code Review about 10 years ago
Patch set 3 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929
Updated by Gerrit Code Review about 10 years ago
Patch set 4 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929
Updated by Gerrit Code Review about 10 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32930
Updated by Gerrit Code Review about 10 years ago
Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32930
Updated by Alexander Opitz about 10 years ago
- Status changed from Under Review to Resolved
Applied in changeset 103e0172bb4a2e46a1952735890e199fee605b8f.
Updated by Florian Seirer about 9 years ago
Can somebody reopen this?
This still seems to be not working in 6.2.15 and 7.5.0.
My config is:
'fileDenyPattern' => '\\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$', // <- Default
'fileExtensions' => array(
'webspace' => array(
'allow' => 'pdf,doc,docx,xls,xlsx,ppt,pptx,pps,ppsx,zip,jpg,png,mp3',
),
),
and I can still import any filetype except the ones from fileDenyPattern.
I can also rename files to a .php extension, but this might be another (big?) issue altogether.
Updated by Denis Mir over 8 years ago
I can confirm that with TYPO3 6.2.22 the file list does ignore this setting:
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow']
The only things that does work is setting a blacklist with
'fileDenyPattern'
Updated by
Actions