Project

General

Profile

Actions

Bug #64619

closed

Different behavior of allowed filename for admins

Added by Sascha Egerer about 9 years ago. Updated about 8 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2015-01-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

It is not possible to upload a file in the filelistmodule that has an extension that is in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'].
The file typo3/tce_file.php, that is used for TCA Uploads, allows uploading of files with a non allowed file extension.

Reproduce: Create a content element of type "File links", Click on the "Add File" button, select a php file and hit "upload files".

As discussed with the Security Team this is not an security issue as admins are always able to upload files that are executable (like extensions).

The behavior should be the same for all uploads.


Files

2015-01-31_1756.png (19.9 KB) 2015-01-31_1756.png Armin Vieweg, 2015-01-31 17:57
2015-01-31_1757.png (17.7 KB) 2015-01-31_1757.png Armin Vieweg, 2015-01-31 17:57

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #64621: FAL relation could be created even if the filetype is not allowed for the TCA fieldClosed2015-01-29

Actions
Is duplicate of TYPO3 Core - Bug #60173: fileDenyPattern is not respected for admins on renaming filesClosed2014-07-08

Actions
Actions #1

Updated by Ingo Schmitt about 9 years ago

  • Complexity set to easy
Actions #2

Updated by Sascha Egerer about 9 years ago

  • Status changed from Accepted to In Progress
  • Assignee set to Sascha Egerer
Actions #3

Updated by Armin Vieweg about 9 years ago

As editor I am not able to upload a file with denied file extension. Not in Flash uploader, nor in Element Browser popup.

So this ticket seems to be obsolete.

Actions #5

Updated by Sascha Egerer about 9 years ago

The Ticket is about an admin user.
An admin is able to upload a php file in a content element but not in the filelist module. It shouldn't be possible at both places.

Actions #6

Updated by Gerrit Code Review about 9 years ago

  • Status changed from In Progress to Under Review

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #7

Updated by Gerrit Code Review about 9 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #8

Updated by Gerrit Code Review about 9 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #9

Updated by Gerrit Code Review about 9 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions #10

Updated by Helmut Hummel over 8 years ago

  • Status changed from Under Review to Closed
  • Assignee deleted (Sascha Egerer)

Resolved as duplicate

Actions #11

Updated by Anja Leichsenring about 8 years ago

  • Sprint Focus deleted (On Location Sprint)
Actions

Also available in: Atom PDF