Project

General

Profile

Actions

Bug #58367

closed

['BE']['fileExtensions']['webspace']['allow'] not working in 6.2

Added by Florian Seirer over 10 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2014-04-30
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

In TYPO3 4.7

$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '\\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'pdf,doc,docx,xls,xlsx,ppt,pptx,pps,ppsx,zip,jpg,png,mp3';

was set in localconf.php to allow only certain file types in the flash uploader. HTML or JS files couldn't be uploaded with this configuration, but could still linked once they were in the file system (mostly imported by admins via FTP).

This also made filetypes easier to manage because you only had to list the few allowed filetypes, instead of listing the myriads of unwanted filetypes in fileDenyPattern.

In 6.2 this is migrated to LocalConfiguration.php, but only

['BE']['fileDenyPattern']
seems to be working. Now I can upload html or files without an error.

Is this a bug, or was this feature deprecated without my knowledge?

By the way, fileExtensions isn't integrated in the install tool in any TYPO3 version. Maybe it should be, if this is still a feature?

Actions #1

Updated by Palian Schulz about 10 years ago

I have the same Problem, would be great if this would work in 6.2.

Actions #2

Updated by Alexander Opitz about 10 years ago

  • Category set to File Abstraction Layer (FAL)
  • Status changed from New to Accepted
Actions #3

Updated by Andreas Kießling about 10 years ago

I'm suffering from the same bug. The check assureFileAddPermissions in ResourceStorage.php (around line 850) tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception. Currently, you need to set allow to * to make this work

Actions #4

Updated by Alexander Opitz about 10 years ago

The problem is TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions():850 the $localFilePath (which is the tempFile) is checked against the file (Deny/Allow) patterns.

Fixing this with using an empty string in assureFileUploadPermissions (like createFile() do) does not help, couse the calling function addUploadedFile() later calls addFile which again calls assureFileAddPermissions() with the temp file as $localFilePath.

So the question is should the test of $localFilePath should be eliminated completely? In our PoV we only need securing file names of files which we save. A security test for the content of the files isn't implemented, so IMHO it doesn't matter if $localFilePath is inside the allow/deny pattern or not.

Actions #5

Updated by Frans Saris about 10 years ago

Could you maybe add a stacktrace of all that happens until this check? (just add "throw new \Exception();" in the ResourceStorage.

I'm interested to know why/and from where the temp filename is used as this function imo isn't supposed to handle temporary files.

Actions #6

Updated by Helmut Hummel about 10 years ago

Andreas Kiessling wrote:

I'm suffering from the same bug.

What exactly is the bug you encounter?
The reporter misses the (silently dropped) possibility to add file extension white list constraints by ['webspace']['allow']

What you describe, seems to be a different issue.

tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception.

This is not true for the default file deny pattern. What pattern do you use?

Currently, you need to set allow to * to make this work

Most likely not a good idea to do so.

Actions #7

Updated by Alexander Opitz about 10 years ago

#0  TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions(, TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
    <data>
        <sheet index="sDEF">
            <language index="lDEF">
                <field index="basePath">
                    <value index="vDEF">fileadmin/</value>
                </field>
                <field index="pathType">
                    <value index="vDEF">relative</value>
                </field>
                <field index="caseSensitive">
                    <value index="vDEF">1</value>
                </field>
            </language>
        </sheet>
    </data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/ResourceStorage.php:890]
#1  TYPO3\CMS\Core\Resource\ResourceStorage->assureFileUploadPermissions(/tmp/phppLHCKS, TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
    <data>
        <sheet index="sDEF">
            <language index="lDEF">
                <field index="basePath">
                    <value index="vDEF">fileadmin/</value>
                </field>
                <field index="pathType">
                    <value index="vDEF">relative</value>
                </field>
                <field index="caseSensitive">
                    <value index="vDEF">1</value>
                </field>
            </language>
        </sheet>
    </data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg, 10845) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/ResourceStorage.php:1730]
#2  TYPO3\CMS\Core\Resource\ResourceStorage->addUploadedFile(Array ([name] => index2.jpeg,[type] => image/jpeg,[tmp_name] => /tmp/phppLHCKS,[size] => 10845), TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
    <data>
        <sheet index="sDEF">
            <language index="lDEF">
                <field index="basePath">
                    <value index="vDEF">fileadmin/</value>
                </field>
                <field index="pathType">
                    <value index="vDEF">relative</value>
                </field>
                <field index="caseSensitive">
                    <value index="vDEF">1</value>
                </field>
            </language>
        </sheet>
    </data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders))),[] => /,[] => ,[] => Array ()), index2.jpeg, replace) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Resource/Folder.php:258]
#3  TYPO3\CMS\Core\Resource\Folder->addUploadedFile(Array ([name] => index2.jpeg,[type] => image/jpeg,[tmp_name] => /tmp/phppLHCKS,[size] => 10845), replace) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php:928]
#4  TYPO3\CMS\Core\Utility\File\ExtendedFileUtility->func_upload(Array ([target] => 1:/,[data] => 1)) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php:257]
#5  TYPO3\CMS\Core\Utility\File\ExtendedFileUtility->processData() called at [/typo3-master/typo3-src/typo3/sysext/backend/Classes/Controller/File/FileController.php:121]
#6  TYPO3\CMS\Backend\Controller\File\FileController->main() called at [/typo3-master/typo3-src/typo3/sysext/backend/Classes/Controller/File/FileController.php:152]
#7  TYPO3\CMS\Backend\Controller\File\FileController->processAjaxRequest(Array (), TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] => 
        <script type="text/javascript">
            /*<![CDATA[*/
            response = |;
            /*]]>*/
        </script>
    ))
#8  call_user_func_array(Array ([0] => TYPO3\CMS\Backend\Controller\File\FileController Object ([] => Array ([upload] => Array ([1] => Array ([target] => 1:/,[data] => 1))),[] => ,[] => 1,[] => ,[] => ,[] => TYPO3\CMS\Core\Utility\File\ExtendedFileUtility Object ([unzipPath] => ,[dontCheckForUnique] => 1,[actionPerms] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[recyclerFN] => _recycler_,[useRecycler] => 1,[internalUploadMap] => Array (),[lastError] => ,[] => Array (),[] => Array ([upload] => Array ([1] => Array ([target] => 1:/,[data] => 1))),[] => TYPO3\CMS\Core\Resource\ResourceFactory Object ([] => Array ([1] => TYPO3\CMS\Core\Resource\ResourceStorage Object ([] => TYPO3\CMS\Core\Resource\Driver\LocalDriver Object ([] => /home/opitz/webs/typo3-master/fileadmin/,[] => Array ([0] => sha1,[1] => md5),[] => fileadmin/,[] => ,[] => Array ([_recycler_] => recycler,[_temp_] => temporary,[user_upload] => userupload),[] => 7,[] => 1,[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1)),[] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1396271145,[crdate] => 1380263955,[cruser_id] => 0,[deleted] => 0,[hidden] => 0,[name] => fileadmin/ (auto-created),[description] => This is the local fileadmin/ directory. This storage mount has been created automatically by TYPO3.,[driver] => Local,[configuration] => <?xml version="1.0" encoding="utf-8" standalone="yes" ?>
<T3FlexForms>
    <data>
        <sheet index="sDEF">
            <language index="lDEF">
                <field index="basePath">
                    <value index="vDEF">fileadmin/</value>
                </field>
                <field index="pathType">
                    <value index="vDEF">relative</value>
                </field>
                <field index="caseSensitive">
                    <value index="vDEF">1</value>
                </field>
            </language>
        </sheet>
    </data>
</T3FlexForms>,[is_browsable] => 1,[is_public] => 1,[is_writable] => 1,[is_online] => 1,[processingfolder] => ,[mount_point_file_type_1] => 0,[mount_point_file_type_2] => 0,[mount_point_file_type_3] => 0,[mount_point_file_type_4] => 0,[mount_point_file_type_5] => 0,[maximum_dimension_original_image] => ,[extension_allowed_file_type_1] => ,[extension_allowed_file_type_2] => ,[extension_allowed_file_type_3] => ,[extension_allowed_file_type_4] => ,[extension_allowed_file_type_5] => ,[is_default] => 1),[] => Array ([basePath] => fileadmin/,[pathType] => relative,[caseSensitive] => 1),[] => ,[] => 1,[] => Array ([/] => Array ([uid] => 1,[pid] => 0,[tstamp] => 1410871238,[title] => fileadmin,[path] => /,[base] => 1,[hidden] => 0,[deleted] => 0,[sorting] => 256,[read_only] => 0,[folder] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /,[] => ,[] => Array ()))),[] => Array ([addFile] => 1,[readFile] => 1,[writeFile] => 1,[copyFile] => ,[moveFile] => 1,[renameFile] => 1,[unzipFile] => 1,[deleteFile] => 1,[addFolder] => 1,[readFolder] => 1,[writeFolder] => 1,[copyFolder] => ,[moveFolder] => 1,[renameFolder] => 1,[deleteFolder] => 1,[recursivedeleteFolder] => ,[files_upload] => 1),[] => 7,[] => ,[] => TYPO3\CMS\Core\Resource\Folder Object ([] => TYPO3\CMS\Core\Resource\ResourceStorage Object ( *RECURSION*,[] => /_processed_/,[] => _processed_,[] => Array ()),[] => 1,[] => 1,[] => Array ([0] => Array ([0] => TYPO3\CMS\Core\Resource\Filter\FileNameFilter,[1] => filterHiddenFilesAndFolders)))),[] => Array (),[] => Array (),[] => Array (),[] => ,[] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher Object ([] => 1,[] => TYPO3\CMS\Extbase\Object\ObjectManager Object ([] => TYPO3\CMS\Extbase\Object\Container\Container Object ([] => TYPO3\CMS\Extbase\Object\Container\ClassInfoCache Object ([] => Array ([ac1fb600d327a78112d7957f63c9cb13] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility,[] => Array (),[] => Array (),[] => Array ([objectManager] => TYPO3\CMS\Extbase\Object\ObjectManager),[] => 1,[] => ),[48ee39591354d5b031b745485de55720] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extbase\Object\ObjectManager,[] => Array (),[] => Array (),[] => Array (),[] => 1,[] => ),[5d58ff385d851c4649503e2a64ee158d] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Core\TypoScript\ConfigurationForm,[] => Array (),[] => Array (),[] => Array (),[] => ,[] => ),[f4161c7b5ff989cc5937476177f76d76] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher,[] => Array (),[] => Array (),[] => Array (),[] => 1,[] => 1),[f56378169db4df0a14757de6f6a254d7] => TYPO3\CMS\Extbase\Object\Container\ClassInfo Object ([] => TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect,[] => Array ([0] => Array ([name] => backendUserAuthentication,[defaultValue] => )),[] => Array (),[] => Array (),[] => ,[] => )),[] => TYPO3\CMS\Core\Cache\Frontend\VariableFrontend Object ([] => ,[] => extbase_object,[] => TYPO3\CMS\Core\Cache\Backend\Typo3DatabaseBackend Object ([] => cf_extbase_object,[] => cf_extbase_object_tags,[] => ,[] => -1,[] => cf_extbase_object.identifier,[] => cf_extbase_object.expires,[] => 735034523,[] => cf_extbase_object.expires >= 1410875077,[] => cf_extbase_object.expires < 1410875077,[] => cf_extbase_object, cf_extbase_object_tags,[] => cf_extbase_object.identifier = cf_extbase_object_tags.identifier,[] => TYPO3\CMS\Core\Cache\Frontend\VariableFrontend Object ( *RECURSION*,[] => extbase_object,[] => production,[] => 0))),[] => Array ([TYPO3\CMS\Extbase\Persistence\QueryInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Query,[TYPO3\CMS\Extbase\Persistence\QueryResultInterface] => TYPO3\CMS\Extbase\Persistence\Generic\QueryResult,[TYPO3\CMS\Extbase\Persistence\PersistenceManagerInterface] => TYPO3\CMS\Extbase\Persistence\Generic\PersistenceManager,[TYPO3\CMS\Extbase\Persistence\Generic\Storage\BackendInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Storage\Typo3DbBackend,[TYPO3\CMS\Extbase\Persistence\Generic\QuerySettingsInterface] => TYPO3\CMS\Extbase\Persistence\Generic\Typo3QuerySettings),[] => ,[] => Array ([TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility] => TYPO3\CMS\Extensionmanager\Utility\ConfigurationUtility Object ([] => TYPO3\CMS\Extbase\Object\ObjectManager Object ( *RECURSION*),[TYPO3\CMS\Extbase\Object\ObjectManager] => TYPO3\CMS\Extbase\Object\ObjectManager Object ( *RECURSION*,[TYPO3\CMS\Extbase\SignalSlot\Dispatcher] => TYPO3\CMS\Extbase\SignalSlot\Dispatcher Object ( *RECURSION*),[] => Array ())),[] => Array ([TYPO3\CMS\Core\Resource\ResourceFactory] => Array ([postProcessStorage] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Resource\Security\StoragePermissionsAspect,[method] => addUserPermissionsToStorage,[object] => ,[passSignalInformation] => 1))),[PackageManagement] => Array ([packagesMayHaveChanged] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => scanAvailablePackages,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Core\Resource\ResourceStorage] => Array ([postFileDelete] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Resource\Processing\FileDeletionAspect,[method] => removeFromRepository,[object] => ,[passSignalInformation] => 1)),[preFileAdd] => Array ([0] => Array ([class] => Causal\ImageAutoresize\Slots\FileUpload,[method] => autoResize,[object] => ,[passSignalInformation] => 1)),[postFileAdd] => Array ([0] => Array ([class] => Causal\ImageAutoresize\Slots\FileUpload,[method] => populateMetadata,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Core\Tree\TableConfiguration\TableConfiguration\DatabaseTreeDataProvider] => Array ([PostProcessTreeData] => Array ([0] => Array ([class] => TYPO3\CMS\Backend\Security\CategoryPermissionsAspect,[method] => addUserPermissionsToCategoryTreeData,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\Service\ExtensionManagementService] => Array ([willInstallExtensions] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => scanAvailablePackages,[object] => ,[passSignalInformation] => 1)),[hasInstalledExtensions] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Package\PackageManager,[method] => updatePackagesForClassLoader,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\Utility\InstallUtility] => Array ([tablesDefinitionIsBeingBuilt] => Array ([0] => Array ([class] => TYPO3\CMS\Core\Cache\Cache,[method] => addCachingFrameworkRequiredDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Core\Category\CategoryRegistry,[method] => addExtensionCategoryDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Install\Service\SqlExpectedSchemaService] => Array ([tablesDefinitionIsBeingBuilt] => Array ([0] => Array ([class] => TYPO3\CMS\Install\Service\CachingFrameworkDatabaseSchemaService,[method] => addCachingFrameworkRequiredDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Core\Category\CategoryRegistry,[method] => addCategoryDatabaseSchemaToTablesDefinition,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Extensionmanager\ViewHelpers\ProcessAvailableActionsViewHelper] => Array ([processActions] => Array ([0] => Array ([class] => TYPO3\CMS\Documentation\Slots\ExtensionManager,[method] => processActions,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => Causal\ImageAutoresize\Slots\ExtensionManager,[method] => processActions,[object] => ,[passSignalInformation] => 1))),[TYPO3\CMS\Vidi\Controller\Backend\ContentController] => Array ([processContentData] => Array ([0] => Array ([class] => TYPO3\CMS\Vidi\Processor\ContentObjectProcessor,[method] => processRelations,[object] => ,[passSignalInformation] => 1),[1] => Array ([class] => TYPO3\CMS\Vidi\Processor\MarkerProcessor,[method] => processMarkers,[object] => ,[passSignalInformation] => 1)),[postProcessMatcherObject] => Array ([0] => Array ([class] => TYPO3\CMS\Media\Security\FilePermissionsAspect,[method] => addFilePermissions,[object] => ,[passSignalInformation] => 1)))))),[getUniqueNamePrefix] => ,[maxNumber] => 99,[uniquePrecision] => 6,[maxInputNameLen] => 60,[tempFN] => _temp_,[f_ext] => Array ([webspace] => Array ([allow] => ,[deny] => php,php3,php4,php5,php6,phpsh,inc,phtml),[ftpspace] => Array ([allow] => *,[deny] => )),[mounts] => Array (),[webPath] => /home/opitz/webs/typo3-master,[isInit] => 1,[csConvObj] => ),[] => ),[1] => processAjaxRequest), Array ([0] => Array (),[1] => TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] => 
        <script type="text/javascript">
            /*<![CDATA[*/
            response = |;
            /*]]>*/
        </script>
    ))) called at [/typo3-master/typo3-src/typo3/sysext/core/Classes/Utility/GeneralUtility.php:4232]
#9  TYPO3\CMS\Core\Utility\GeneralUtility::callUserFunction(TYPO3\CMS\Backend\Controller\File\FileController->processAjaxRequest, Array (), TYPO3\CMS\Core\Http\AjaxRequestHandler Object ([] => TYPO3_tcefile::process,[] => ,[] => ,[] => Array (),[] => plain,[] => utf-8,[] => utf-8,[] => 
        <script type="text/javascript">
            /*<![CDATA[*/
            response = |;
            /*]]>*/
        </script>
    ), , 1) called at [/typo3-master/typo3-src/typo3/ajax.php:80]
Actions #8

Updated by Helmut Hummel about 10 years ago

Alexander Opitz wrote:

The problem is TYPO3\CMS\Core\Resource\ResourceStorage->assureFileAddPermissions():850 the $localFilePath (which is the tempFile) is checked against the file (Deny/Allow) patterns.

Fixing this with using an empty string in assureFileUploadPermissions (like createFile() do) does not help, couse the calling function addUploadedFile() later calls addFile which again calls assureFileAddPermissions() with the temp file as $localFilePath.

Can you elaborate why exactly this is an issue?

So the question is should the test of $localFilePath should be eliminated completely? In our PoV we only need securing file names of files which we save. A security test for the content of the files isn't implemented, so IMHO it doesn't matter if $localFilePath is inside the allow/deny pattern or not.

This may be true. However I'd only remove this check if

a) we can proof there is no possibility to exploit it (which we probably can)
b) it actually causes problems (which I currently don't see)

Actions #9

Updated by Frans Saris about 10 years ago

After a quick check it looks to me that:

827        // Check for a valid file extension    
828        if (!$this->checkFileExtensionPermission($targetFileName) || ($localFilePath && !$this->checkFileExtensionPermission($localFilePath))) {
829            throw new Exception\IllegalFileExtensionException('Extension of file name is not allowed in "' . $targetFileName . '"!', 1322120271);
830        }

Should be:

827        // Check for a valid file extension
828        if (!$this->checkFileExtensionPermission($targetFileName) || (!$targetFileName && !$localFilePath && !$this->checkFileExtensionPermission($localFilePath))) {
829            throw new Exception\IllegalFileExtensionException('Extension of file name is not allowed in "' . $targetFileName . '"!', 1322120271);
830        }

Actions #10

Updated by Andreas Kießling about 10 years ago

Helmut Hummel wrote:

Andreas Kiessling wrote:

I'm suffering from the same bug.

What exactly is the bug you encounter?
The reporter misses the (silently dropped) possibility to add file extension white list constraints by ['webspace']['allow']

What you describe, seems to be a different issue.

Nope, same issue

tests the temporary name from a file upload against the allowed / disallowed extensions. But since it has no extension, it throws an exception.

This is not true for the default file deny pattern. What pattern do you use?

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'png,gif,jpg,jpeg,pdf';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '*';

Currently, you need to set allow to * to make this work

Most likely not a good idea to do so.

Yep, i totally agree ;)

Actions #11

Updated by Alexander Opitz about 10 years ago

@Helmut

Then please try the issue yourself.

- Configure for example

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'png,gif,jpg,jpeg,pdf';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '*';

- Login as non admin user
- Try to upload a file.

Actions #12

Updated by Gerrit Code Review about 10 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32817

Actions #13

Updated by Alexander Opitz about 10 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #14

Updated by Gerrit Code Review about 10 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929

Actions #15

Updated by Gerrit Code Review about 10 years ago

Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929

Actions #16

Updated by Gerrit Code Review about 10 years ago

Patch set 3 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929

Actions #17

Updated by Gerrit Code Review about 10 years ago

Patch set 4 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32929

Actions #18

Updated by Gerrit Code Review about 10 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32930

Actions #19

Updated by Gerrit Code Review about 10 years ago

Patch set 2 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32930

Actions #20

Updated by Alexander Opitz about 10 years ago

  • Status changed from Under Review to Resolved
Actions #21

Updated by Florian Seirer about 9 years ago

Can somebody reopen this?
This still seems to be not working in 6.2.15 and 7.5.0.

My config is:

'fileDenyPattern' => '\\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$', // <- Default
'fileExtensions' => array(
    'webspace' => array(
        'allow' => 'pdf,doc,docx,xls,xlsx,ppt,pptx,pps,ppsx,zip,jpg,png,mp3',
    ),
),

and I can still import any filetype except the ones from fileDenyPattern.

I can also rename files to a .php extension, but this might be another (big?) issue altogether.

Actions #22

Updated by Denis Mir over 8 years ago

I can confirm that with TYPO3 6.2.22 the file list does ignore this setting:

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow']

The only things that does work is setting a blacklist with

'fileDenyPattern'
Actions #23

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF