TYPO3 Core

I have open_basedir restrictions on our servers.

I want to fetch the file content from a FileReference of a local file.

File->getContents()

calls

ResourceStorage->getFileContents()

which checks

ResourceStorage->assureFileReadPermission()

first.

ResourceStorage->checkFileActionPermission()

calls

if (!$this->checkFileExtensionPermission($file->getName())) {

supplying ONLY the fileName and not the file object or the full path to the file!

In checkFileExtensionPermission() since only the fileName has been supplied extracting the extension is done like this:

$fileInfo = GeneralUtility::split_fileref($fileName);
...
$fileExtension = strtolower($fileInfo['fileext']);

GeneralUtility::split_fileref in turn expects to be fed with full pathes to existing files only and happily calls !is_dir($fileref) :

static public function split_fileref($fileref) {
    if (!is_dir($fileref) && preg_match('/(.*)\\.([^\\.]*$)/', $info['file'], $reg)) {

This results in a check for is_dir() supplying only a file name.

With a open_basedir restriction in effect this results in

PHP Warning: is_dir(): open_basedir restriction in effect. File(XYZ.svg) is not within the allowed path(s): ([...]) in typo3_src-6.2.11/typo3/sysext/core/Classes/Utility/GeneralUtility.php line 886" 

since the file XYZ.svg is not directly in one of the configured pathes but a subdirectory "fileadmin/user_upload".

Either the check to fetch the file extension in checkFileExtensionPermission() has to be adapted to fetch differently or GeneralUtility::split_fileref needs to be changed not to use is_dir.