Bug #67061

Upload of files with "Umlaute" is not possible for non-admins when utf8 filesystem is enabled

Added by Nils Blattner almost 4 years ago. Updated 4 months ago.

Status:
Resolved
Priority:
Must have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2015-05-20
Due date:
% Done:

100%

TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

Hi there

When a non-admin tries to upload a file with special characters in the name (e.g. täst.txt) and $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] is active, the upload fails. This is because the default "fileDenyPattern" is not applied with the PCRE "u" option in GeneralUtility::verifyFilenameAgainstDenyPattern().

This can be fixed by making those two patterns PCRE_UTF8 /.../u.

Steps to reproduce:
  1. $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] = 1;
  2. Leave $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] as default
  3. Switch to non-admin user
  4. Upload a file with special characters in the file name (äöüéàè etc.)

Kind regards
Nils

20150520-GeneralUtility.php.diff View (729 Bytes) Nils Blattner, 2015-05-20 16:09


Related issues

Duplicated by TYPO3 Core - Bug #77516: verifyFilenameAgainstDenyPattern not UTF-8 save Closed 2016-08-16
Duplicated by TYPO3 Core - Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in Command Closed 2018-06-25

Associated revisions

Revision 020d8cac (diff)
Added by Pascal Rinker 4 months ago

[BUGFIX] Allow unicode characters in verifyFileNameAgainstDenyPattern

Using (valid) unicode characters in
GeneralUtility::verifyFilenameAgainstDenyPattern was not possible due
to a missing unicode modifier when evaluating regular expressions.
The unicode modifier has been added.
Since unicode errors in regular expressions will lead to `false`
results, it is important to perform type-safe checks against `0`.

Resolves: #67061
Releases: master, 8.7
Change-Id: If3eea7129c92b296b85b93a1f1c81a446a2f5f90
Reviewed-on: https://review.typo3.org/57389
Tested-by: TYPO3com <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>
Reviewed-by: Benni Mack <>
Tested-by: Benni Mack <>

Revision 1398fe40 (diff)
Added by Pascal Rinker 4 months ago

[BUGFIX] Allow unicode characters in verifyFileNameAgainstDenyPattern

Using (valid) unicode characters in
GeneralUtility::verifyFilenameAgainstDenyPattern was not possible due
to a missing unicode modifier when evaluating regular expressions.
The unicode modifier has been added.
Since unicode errors in regular expressions will lead to `false`
results, it is important to perform type-safe checks against `0`.

Resolves: #67061
Releases: master, 8.7
Change-Id: If3eea7129c92b296b85b93a1f1c81a446a2f5f90
Reviewed-on: https://review.typo3.org/58772
Tested-by: TYPO3com <>
Reviewed-by: Benni Mack <>
Tested-by: Benni Mack <>

History

#1 Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#2 Updated by Gerrit Code Review over 3 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#3 Updated by Gerrit Code Review over 3 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#4 Updated by Mathias Brodala over 3 years ago

Are you sure the upload fails with the default fileDenyPattern? The default value is \\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$ which would not deny files with umlauts.

#5 Updated by Helmut Hummel over 3 years ago

  • Status changed from Under Review to Needs Feedback

#6 Updated by Nils Blattner over 3 years ago

Hi Mathias

Yes, it does fail with the default fileDenyPattern (just checked it again).
From reading a bit on the php.net pages and stackoverflow, I guess it depends on what libpcre is installed.

The system where I found it to be a problem uses the following PCRE version:

$ dpkg -l | grep -i pcre
ii  libpcre3:amd64                      1:8.31-2ubuntu2                     amd64        Perl 5 Compatible Regular Expression Library - runtime files

When matching UTF-8 strings or using an UTF-8 pattern, the "u"-modifier should be used:
http://php.net/manual/en/reference.pcre.pattern.modifiers.php#103348

It may well be that the unit test passed because a different version of libpcre ignores the fact, that the subject is utf8.

Kind regards
Nils

#7 Updated by Alexander Opitz over 3 years ago

  • Status changed from Needs Feedback to New
  • Target version changed from next-patchlevel to 6.2.16

#8 Updated by Gerrit Code Review over 3 years ago

  • Status changed from New to Under Review

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#9 Updated by Jens Jacobsen over 1 year ago

  • TYPO3 Version changed from 6.2 to 8
  • PHP Version changed from 5.5 to 7.0

This bug is still there in 7.6 LTS and 8 LTS and in my case it's preventing a TYPO3 console command to add/edit files containing any UTF-8 character in special, even if the cli backend user has admin rights. If this whole contribute process would be easier to understand I maybe would supply a patch. For now I'm going to try patching the GeneralUtitlity class via Composer. The solution would be to add the u modifier only if the UTF8filesystem is enabled:

    public static function verifyFilenameAgainstDenyPattern($filename)
    {
        $pattern = '/[[:cntrl:]]/';
        if ((string)$filename !== '' && (string)$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] !== '') {
            $pattern = '/(?:[[:cntrl:]]|' . $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] . ')/i' .
                ((bool)$GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] ? 'u' : '');
        }
        return !preg_match($pattern, $filename);
    }

#10 Updated by Riccardo De Contardi over 1 year ago

  • Target version deleted (6.2.16)

#11 Updated by Gerrit Code Review 8 months ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#12 Updated by Mathias Brodala 8 months ago

  • Duplicated by Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in Command added

#13 Updated by Gerrit Code Review 4 months ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#14 Updated by Gerrit Code Review 4 months ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#15 Updated by Gerrit Code Review 4 months ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#16 Updated by Gerrit Code Review 4 months ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#17 Updated by Gerrit Code Review 4 months ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58772

#18 Updated by Anonymous 4 months ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

Also available in: Atom PDF