Project

General

Profile

Actions

Bug #60173

closed

fileDenyPattern is not respected for admins on renaming files

Added by Manuel Wohlers over 10 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Could have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2014-07-08
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
medium
Is Regression:
No
Sprint Focus:

Description

The configured fileDenyPattern is not respected on rename:

A file can be uploaded as "test.jpg" and renamed to "test.php" in the Filelist in Typo3 Backend. Thereafter the php file can be executed.

Verified in Typo3 CMS 6.1.5 and 6.2.3


Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Bug #64619: Different behavior of allowed filename for adminsClosed2015-01-29

Actions
Actions #1

Updated by Oliver Hader over 10 years ago

  • Project changed from TYPO3 Core to 1716
Actions #2

Updated by Helmut Hummel over 10 years ago

  • Project changed from 1716 to TYPO3 Core

Yes, admins can rename files to php files. They can even upload php files and install extensions.

However, it is not allowed and not possible for regular editors to do so.

Actions #3

Updated by Helmut Hummel over 10 years ago

  • Status changed from New to Needs Feedback

Manuel Wohlers wrote:

The configured fileDenyPattern is not respected on rename:

A file can be uploaded as "test.jpg" and renamed to "test.php" in the Filelist in Typo3 Backend. Thereafter the php file can be executed.

Verified in Typo3 CMS 6.1.5 and 6.2.3

You were testing as an admin, right?

btw. If you thing you found security related issues, next time please send a mail to instead of opening a bug report in our public tracker. Thanks!

Actions #4

Updated by Manuel Wohlers over 10 years ago

Yes I tested as admin user.
At least in 6.2.3 it is possible to rename to php but it is not possible to upload a php file directly.
That is confusing and inconsistent but I understand that it is no big deal for security (admins can upload php files in any case e.g. by installing new extensions).

Actions #5

Updated by Helmut Hummel over 10 years ago

  • Category set to File Abstraction Layer (FAL)
  • Status changed from Needs Feedback to Accepted
  • Priority changed from Must have to Could have
  • Complexity set to medium

Manuel Wohlers wrote:

Yes I tested as admin user.

OK. Thanks for your response.

At least in 6.2.3 it is possible to rename to php but it is not possible to upload a php file directly.
That is confusing and inconsistent

Alright. Feel free to create a patch for that (I would be fine either way, allowing admins to upload php files or deny admins to rename to php).

Actions #6

Updated by Torben Hansen about 10 years ago

Of cource, admin users can upload php files (or any content they want) by uploading extensions or by using extensions like quixplorer, but I also think it is confusing that admin users can't upload files in the filelist which matches extensions in fileDenyPattern, but are able to rename/create files with a file extension of their choise.

I will create a patch, so the fileDenyPattern is also checked for admin users.

Actions #7

Updated by Gerrit Code Review about 10 years ago

  • Status changed from Accepted to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #8

Updated by Gerrit Code Review almost 10 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #9

Updated by Gerrit Code Review almost 10 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #10

Updated by Gerrit Code Review almost 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #11

Updated by Gerrit Code Review almost 10 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #12

Updated by Gerrit Code Review almost 10 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #13

Updated by Gerrit Code Review almost 10 years ago

Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #14

Updated by Gerrit Code Review almost 10 years ago

Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #15

Updated by Helmut Hummel over 9 years ago

  • Status changed from Under Review to New

Patch was abandoned in Gerrit. We leave this open until someone wants to improve the patch to fix this.

Actions #16

Updated by Helmut Hummel over 8 years ago

  • Subject changed from fileDenyPattern is not respected on renaming files to fileDenyPattern is not respected for admins on renaming files
Actions #17

Updated by Gerrit Code Review over 8 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48302

Actions #18

Updated by Gerrit Code Review over 8 years ago

Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610

Actions #19

Updated by Gerrit Code Review over 8 years ago

Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610

Actions #20

Updated by Gerrit Code Review over 8 years ago

Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610

Actions #21

Updated by Torben Hansen over 8 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
Actions #22

Updated by Gerrit Code Review over 8 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48329

Actions #23

Updated by Gerrit Code Review over 8 years ago

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48335

Actions #24

Updated by Helmut Hummel over 8 years ago

Torben Hansen wrote:

I will create a patch, so the fileDenyPattern is also checked for admin users.

Thanks a lot for the patch and your patience :)

I merged it in all supported branches now

Actions #25

Updated by Torben Hansen over 8 years ago

  • Status changed from Under Review to Resolved
Actions #26

Updated by Gerrit Code Review over 8 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48348

Actions #27

Updated by Helmut Hummel over 8 years ago

  • Status changed from Under Review to Resolved
Actions #28

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF