Bug #67061
closedUpload of files with "Umlaute" is not possible for non-admins when utf8 filesystem is enabled
100%
Description
Hi there
When a non-admin tries to upload a file with special characters in the name (e.g. täst.txt) and $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] is active, the upload fails. This is because the default "fileDenyPattern" is not applied with the PCRE "u" option in GeneralUtility::verifyFilenameAgainstDenyPattern().
This can be fixed by making those two patterns PCRE_UTF8 /.../u.
Steps to reproduce:- $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] = 1;
- Leave $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] as default
- Switch to non-admin user
- Upload a file with special characters in the file name (äöüéàè etc.)
Kind regards
Nils
Files
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Gerrit Code Review over 9 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Gerrit Code Review over 9 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Mathias Brodala over 9 years ago
Are you sure the upload fails with the default fileDenyPattern
? The default value is \\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$
which would not deny files with umlauts.
Updated by Helmut Hummel over 9 years ago
- Status changed from Under Review to Needs Feedback
Updated by Nils Blattner over 9 years ago
Hi Mathias
Yes, it does fail with the default fileDenyPattern (just checked it again).
From reading a bit on the php.net pages and stackoverflow, I guess it depends on what libpcre is installed.
The system where I found it to be a problem uses the following PCRE version:
$ dpkg -l | grep -i pcre ii libpcre3:amd64 1:8.31-2ubuntu2 amd64 Perl 5 Compatible Regular Expression Library - runtime files
When matching UTF-8 strings or using an UTF-8 pattern, the "u"-modifier should be used:
http://php.net/manual/en/reference.pcre.pattern.modifiers.php#103348
It may well be that the unit test passed because a different version of libpcre ignores the fact, that the subject is utf8.
Kind regards
Nils
Updated by Alexander Opitz over 9 years ago
- Status changed from Needs Feedback to New
- Target version changed from next-patchlevel to 6.2.16
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Jens Jacobsen over 7 years ago
- TYPO3 Version changed from 6.2 to 8
- PHP Version changed from 5.5 to 7.0
This bug is still there in 7.6 LTS and 8 LTS and in my case it's preventing a TYPO3 console command to add/edit files containing any UTF-8 character in special, even if the cli backend user has admin rights. If this whole contribute process would be easier to understand I maybe would supply a patch. For now I'm going to try patching the GeneralUtitlity class via Composer. The solution would be to add the u modifier only if the UTF8filesystem is enabled:
public static function verifyFilenameAgainstDenyPattern($filename)
{
$pattern = '/[[:cntrl:]]/';
if ((string)$filename !== '' && (string)$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] !== '') {
$pattern = '/(?:[[:cntrl:]]|' . $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] . ')/i' .
((bool)$GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] ? 'u' : '');
}
return !preg_match($pattern, $filename);
}
Updated by Riccardo De Contardi over 7 years ago
- Target version deleted (
6.2.16)
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Mathias Brodala over 6 years ago
- Has duplicate Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in Command added
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58772
Updated by Anonymous over 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 020d8cac4349663d551649644244723afefb594e.
Updated by Benni Mack almost 6 years ago
- Status changed from Resolved to Closed