Bug #60173
closed
fileDenyPattern is not respected for admins on renaming files
100%
Description
The configured fileDenyPattern is not respected on rename:
A file can be uploaded as "test.jpg" and renamed to "test.php" in the Filelist in Typo3 Backend. Thereafter the php file can be executed.
Verified in Typo3 CMS 6.1.5 and 6.2.3
Updated by Oliver Hader almost 10 years ago
- Project changed from TYPO3 Core to 1716
Updated by Helmut Hummel almost 10 years ago
- Project changed from 1716 to TYPO3 Core
Yes, admins can rename files to php files. They can even upload php files and install extensions.
However, it is not allowed and not possible for regular editors to do so.
Updated by Helmut Hummel almost 10 years ago
- Status changed from New to Needs Feedback
Manuel Wohlers wrote:
The configured fileDenyPattern is not respected on rename:
A file can be uploaded as "test.jpg" and renamed to "test.php" in the Filelist in Typo3 Backend. Thereafter the php file can be executed.
Verified in Typo3 CMS 6.1.5 and 6.2.3
You were testing as an admin, right?
btw. If you thing you found security related issues, next time please send a mail to security@typo3.org instead of opening a bug report in our public tracker. Thanks!
Updated by Manuel Wohlers almost 10 years ago
Yes I tested as admin user.
At least in 6.2.3 it is possible to rename to php but it is not possible to upload a php file directly.
That is confusing and inconsistent but I understand that it is no big deal for security (admins can upload php files in any case e.g. by installing new extensions).
Updated by Helmut Hummel almost 10 years ago
- Category set to File Abstraction Layer (FAL)
- Status changed from Needs Feedback to Accepted
- Priority changed from Must have to Could have
- Complexity set to medium
Manuel Wohlers wrote:
Yes I tested as admin user.
OK. Thanks for your response.
At least in 6.2.3 it is possible to rename to php but it is not possible to upload a php file directly.
That is confusing and inconsistent
Alright. Feel free to create a patch for that (I would be fine either way, allowing admins to upload php files or deny admins to rename to php).
Updated by Torben Hansen over 9 years ago
Of cource, admin users can upload php files (or any content they want) by uploading extensions or by using extensions like quixplorer, but I also think it is confusing that admin users can't upload files in the filelist which matches extensions in fileDenyPattern, but are able to rename/create files with a file extension of their choise.
I will create a patch, so the fileDenyPattern is also checked for admin users.
Updated by Gerrit Code Review over 9 years ago
- Status changed from Accepted to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 7 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Gerrit Code Review over 9 years ago
Patch set 8 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610
Updated by Helmut Hummel over 8 years ago
- Status changed from Under Review to New
Patch was abandoned in Gerrit. We leave this open until someone wants to improve the patch to fix this.
Updated by Helmut Hummel almost 8 years ago
- Subject changed from fileDenyPattern is not respected on renaming files to fileDenyPattern is not respected for admins on renaming files
Updated by Gerrit Code Review almost 8 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48302
Updated by Gerrit Code Review almost 8 years ago
Patch set 9 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610
Updated by Gerrit Code Review almost 8 years ago
Patch set 10 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610
Updated by Gerrit Code Review almost 8 years ago
Patch set 11 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/32610
Updated by Torben Hansen almost 8 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset a3635263d849db4ae1ceaab98305d702e4efbb7f.
Updated by Gerrit Code Review almost 8 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_7-6 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48329
Updated by Gerrit Code Review almost 8 years ago
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48335
Updated by Helmut Hummel almost 8 years ago
Torben Hansen wrote:
I will create a patch, so the fileDenyPattern is also checked for admin users.
Thanks a lot for the patch and your patience :)
I merged it in all supported branches now
Updated by Torben Hansen almost 8 years ago
- Status changed from Under Review to Resolved
Applied in changeset e549bd999ac4ba4a06f5d3b972431e142af2c0e1.
Updated by Gerrit Code Review almost 8 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/48348
Updated by Helmut Hummel almost 8 years ago
- Status changed from Under Review to Resolved
Updated by