Project

General

Profile

Actions

Bug #64619

closed

Different behavior of allowed filename for admins

Added by Sascha Egerer almost 10 years ago. Updated almost 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2015-01-29
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

It is not possible to upload a file in the filelistmodule that has an extension that is in $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'].
The file typo3/tce_file.php, that is used for TCA Uploads, allows uploading of files with a non allowed file extension.

Reproduce: Create a content element of type "File links", Click on the "Add File" button, select a php file and hit "upload files".

As discussed with the Security Team this is not an security issue as admins are always able to upload files that are executable (like extensions).

The behavior should be the same for all uploads.


Files

2015-01-31_1756.png (19.9 KB) 2015-01-31_1756.png Armin Vieweg, 2015-01-31 17:57
2015-01-31_1757.png (17.7 KB) 2015-01-31_1757.png Armin Vieweg, 2015-01-31 17:57

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #64621: FAL relation could be created even if the filetype is not allowed for the TCA fieldClosed2015-01-29

Actions
Is duplicate of TYPO3 Core - Bug #60173: fileDenyPattern is not respected for admins on renaming filesClosed2014-07-08

Actions
Actions

Also available in: Atom PDF