Project

General

Profile

Actions
Copy link

Bug #64619

closed

Different behavior of allowed filename for admins

Added by Sascha Egerer almost 10 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2015-01-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

It is not possible to upload a file in the filelistmodule that has an extension that is in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'].
The file typo3/tce_file.php, that is used for TCA Uploads, allows uploading of files with a non allowed file extension.

Reproduce: Create a content element of type "File links", Click on the "Add File" button, select a php file and hit "upload files".

As discussed with the Security Team this is not an security issue as admins are always able to upload files that are executable (like extensions).

The behavior should be the same for all uploads.

Files

Download all files
2015-01-31_1756.png (19.9 KB) 2015-01-31_1756.png Armin Vieweg, 2015-01-31 17:57
2015-01-31_1757.png (17.7 KB) 2015-01-31_1757.png Armin Vieweg, 2015-01-31 17:57

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #64621: FAL relation could be created even if the filetype is not allowed for the TCA fieldClosed2015-01-29

Actions
Is duplicate of TYPO3 Core - Bug #60173: fileDenyPattern is not respected for admins on renaming filesClosed2014-07-08

Actions
Actions
Copy link
 #1

Updated by Ingo Schmitt almost 10 years ago

  • Complexity set to easy
Actions
Copy link
 #2

Updated by Sascha Egerer almost 10 years ago

  • Status changed from Accepted to In Progress
  • Assignee set to Sascha Egerer
Actions
Copy link
 #3

Updated by Armin Vieweg almost 10 years ago

As editor I am not able to upload a file with denied file extension. Not in Flash uploader, nor in Element Browser popup.

So this ticket seems to be obsolete.

Actions
Copy link
 #5

Updated by Sascha Egerer almost 10 years ago

The Ticket is about an admin user.
An admin is able to upload a php file in a content element but not in the filelist module. It shouldn't be possible at both places.

Actions
Copy link
 #6

Updated by Gerrit Code Review almost 10 years ago

  • Status changed from In Progress to Under Review

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions
Copy link
 #7

Updated by Gerrit Code Review almost 10 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions
Copy link
 #8

Updated by Gerrit Code Review almost 10 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions
Copy link
 #9

Updated by Gerrit Code Review almost 10 years ago

Patch set 6 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/32610

Actions
Copy link
 #10

Updated by Helmut Hummel over 9 years ago

  • Status changed from Under Review to Closed
  • Assignee deleted (Sascha Egerer)

Resolved as duplicate

Actions
Copy link
 #11

Updated by Anja Leichsenring almost 9 years ago

  • Sprint Focus deleted (On Location Sprint)
Actions
Copy link

Also available in: Atom PDF