Actions
Bug #66033
closed
open_basedir restriction fails File->getContents() due to ResourceStorage->checkFileExtensionPermission() and GeneralUtility::split_fileref()
Status:
Closed
Priority:
Should have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
Start date:
2015-03-25
Due date:
% Done:
100%
Estimated time:
TYPO3 Version:
6.2
PHP Version:
5.4
Tags:
Complexity:
Is Regression:
No
Sprint Focus:
Description
I have open_basedir restrictions on our servers.
I want to fetch the file content from a FileReference of a local file.
File->getContents()calls
ResourceStorage->getFileContents()which checks
ResourceStorage->assureFileReadPermission()first.
ResourceStorage->checkFileActionPermission()calls
if (!$this->checkFileExtensionPermission($file->getName())) {supplying ONLY the fileName and not the file object or the full path to the file!
In checkFileExtensionPermission() since only the fileName has been supplied extracting the extension is done like this:
$fileInfo = GeneralUtility::split_fileref($fileName); ... $fileExtension = strtolower($fileInfo['fileext']);
GeneralUtility::split_fileref in turn expects to be fed with full pathes to existing files only and happily calls !is_dir($fileref) :
static public function split_fileref($fileref) {
if (!is_dir($fileref) && preg_match('/(.*)\\.([^\\.]*$)/', $info['file'], $reg)) {
This results in a check for is_dir() supplying only a file name.
With a open_basedir restriction in effect this results in
PHP Warning: is_dir(): open_basedir restriction in effect. File(XYZ.svg) is not within the allowed path(s): ([...]) in typo3_src-6.2.11/typo3/sysext/core/Classes/Utility/GeneralUtility.php line 886"
since the file XYZ.svg is not directly in one of the configured pathes but a subdirectory "fileadmin/user_upload".
Either the check to fetch the file extension in checkFileExtensionPermission() has to be adapted to fetch differently or GeneralUtility::split_fileref needs to be changed not to use is_dir.
Updated by 
Updated by 
Updated by
Actions