Bug #67061

Upload of files with "Umlaute" is not possible for non-admins when utf8 filesystem is enabled

Added by Nils Blattner over 5 years ago. Updated over 1 year ago.

Status:
Closed
Priority:
Must have
Assignee:
-
Category:
File Abstraction Layer (FAL)
Target version:
-
Start date:
2015-05-20
Due date:
% Done:

100%

Estimated time:
TYPO3 Version:
8
PHP Version:
7.0
Tags:
Complexity:
easy
Is Regression:
No
Sprint Focus:

Description

Hi there

When a non-admin tries to upload a file with special characters in the name (e.g. täst.txt) and $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] is active, the upload fails. This is because the default "fileDenyPattern" is not applied with the PCRE "u" option in GeneralUtility::verifyFilenameAgainstDenyPattern().

This can be fixed by making those two patterns PCRE_UTF8 /.../u.

Steps to reproduce:
  1. $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] = 1;
  2. Leave $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] as default
  3. Switch to non-admin user
  4. Upload a file with special characters in the file name (äöüéàè etc.)

Kind regards
Nils


Files

20150520-GeneralUtility.php.diff (729 Bytes) 20150520-GeneralUtility.php.diff Nils Blattner, 2015-05-20 16:09

Related issues

Has duplicate TYPO3 Core - Bug #77516: verifyFilenameAgainstDenyPattern not UTF-8 saveClosed2016-08-16

Actions
Has duplicate TYPO3 Core - Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in CommandClosed2018-06-25

Actions
#1

Updated by Gerrit Code Review over 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#2

Updated by Gerrit Code Review over 5 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#3

Updated by Gerrit Code Review over 5 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#4

Updated by Mathias Brodala over 5 years ago

Are you sure the upload fails with the default fileDenyPattern? The default value is \\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$ which would not deny files with umlauts.

#5

Updated by Helmut Hummel over 5 years ago

  • Status changed from Under Review to Needs Feedback
#6

Updated by Nils Blattner over 5 years ago

Hi Mathias

Yes, it does fail with the default fileDenyPattern (just checked it again).
From reading a bit on the php.net pages and stackoverflow, I guess it depends on what libpcre is installed.

The system where I found it to be a problem uses the following PCRE version:

$ dpkg -l | grep -i pcre
ii  libpcre3:amd64                      1:8.31-2ubuntu2                     amd64        Perl 5 Compatible Regular Expression Library - runtime files

When matching UTF-8 strings or using an UTF-8 pattern, the "u"-modifier should be used:
http://php.net/manual/en/reference.pcre.pattern.modifiers.php#103348

It may well be that the unit test passed because a different version of libpcre ignores the fact, that the subject is utf8.

Kind regards
Nils

#7

Updated by Alexander Opitz about 5 years ago

  • Status changed from Needs Feedback to New
  • Target version changed from next-patchlevel to 6.2.16
#8

Updated by Gerrit Code Review about 5 years ago

  • Status changed from New to Under Review

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518

#9

Updated by Jens Jacobsen over 3 years ago

  • TYPO3 Version changed from 6.2 to 8
  • PHP Version changed from 5.5 to 7.0

This bug is still there in 7.6 LTS and 8 LTS and in my case it's preventing a TYPO3 console command to add/edit files containing any UTF-8 character in special, even if the cli backend user has admin rights. If this whole contribute process would be easier to understand I maybe would supply a patch. For now I'm going to try patching the GeneralUtitlity class via Composer. The solution would be to add the u modifier only if the UTF8filesystem is enabled:

    public static function verifyFilenameAgainstDenyPattern($filename)
    {
        $pattern = '/[[:cntrl:]]/';
        if ((string)$filename !== '' && (string)$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] !== '') {
            $pattern = '/(?:[[:cntrl:]]|' . $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] . ')/i' .
                ((bool)$GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] ? 'u' : '');
        }
        return !preg_match($pattern, $filename);
    }
#10

Updated by Riccardo De Contardi about 3 years ago

  • Target version deleted (6.2.16)
#11

Updated by Gerrit Code Review over 2 years ago

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#12

Updated by Mathias Brodala over 2 years ago

  • Has duplicate Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in Command added
#13

Updated by Gerrit Code Review about 2 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#14

Updated by Gerrit Code Review about 2 years ago

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#15

Updated by Gerrit Code Review about 2 years ago

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#16

Updated by Gerrit Code Review about 2 years ago

Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389

#17

Updated by Gerrit Code Review about 2 years ago

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58772

#18

Updated by Anonymous about 2 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100
#19

Updated by Benni Mack over 1 year ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF