Bug #59303

Retrieving resources with relative links is messy

Added by Nils Blattner over 6 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2014-06-03
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Hi

The use case is the following:

1) TYPO3 6.2.x installed with symlinks
ls -lah:
... index.php -> typo3_src/index.php
... typo3 -> typo3_src/typo3
... typo3_src -> typo3_src-6.2.3
... typo3_src-6.2.3

2) t3skin installed locally to fix some issues with templavoila

If I open the about module, I get an exception: "#1314516810: File /typo3conf/ext/t3skin/icons/gfx/typo3logo.gif/ does not exist."

The reason behind this is, that the about module tries to get the typo3logo.gif and tries to find it in typo3/, which is resolved to "../typo3/../typo3conf/ext/t3skin/icons/gfx/typo3logo.gif" by \TYPO3\CMS\Backend\Utility\IconUtility::skinImg().
=> This path would be correct, if not for the symlink structure
=> Because of the symlink this path now points (on the system level) at "typo3_src-6.2.3/typo3/../typo3conf/ext/t3skin/icons/gfx/typo3logo.gif" or "typo3_src-6.2.3/typo3conf/ext/t3skin/icons/gfx/typo3logo.gif" which does not exist

In \TYPO3\CMS\Core\Resource\ResourceFactory on line 462

} elseif (@is_file(PATH_site . $input)) {

does not find the file and defaults to creating a folder, which does not exist aswell.

In order to fix this globally, the ResourceFactory should manually resolve any "/./" or "/../". Otherwise this issue will arise in other locally installed system extensions. Also I can think of some scenarios, where this could potentially be a security issue (e.g. if the TYPO3 source is installed in an external folder on the same level with sensitive data).

Patch will be attached.

Cheers Nils


Files

bug_59303.diff (1.01 KB) bug_59303.diff Nils Blattner, 2014-06-03 11:22
#2

Updated by Markus Klein over 6 years ago

  • Project changed from TYPO3 Core to Core Security
  • Category deleted (File Abstraction Layer (FAL))
#3

Updated by Markus Klein over 6 years ago

  • Patch is reviewed set to No
  • Has patch set to No

Moved to security area until it is verified this is not a security issue.

#4

Updated by Helmut Hummel over 6 years ago

  • Project changed from Core Security to TYPO3 Core

I do not see how sensitive data or files can be exposed by this, so this can be handled in our regular bug fixing procedure

#5

Updated by Helmut Hummel over 6 years ago

Helmut Hummel wrote:

I do not see how sensitive data or files can be exposed by this, so this can be handled in our regular bug fixing procedure

To be clear: it is not possible to break out of a storage (not even storage 0) when accessing files. so no security issue here, "only" a bug

#6

Updated by Gerrit Code Review over 6 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30532

#7

Updated by Gerrit Code Review over 6 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/30532

#8

Updated by Nils Blattner over 6 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#9

Updated by Benni Mack over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF