Bug #67061
closed
Upload of files with "Umlaute" is not possible for non-admins when utf8 filesystem is enabled
100%
Description
Hi there
When a non-admin tries to upload a file with special characters in the name (e.g. täst.txt) and $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] is active, the upload fails. This is because the default "fileDenyPattern" is not applied with the PCRE "u" option in GeneralUtility::verifyFilenameAgainstDenyPattern().
This can be fixed by making those two patterns PCRE_UTF8 /.../u.
Steps to reproduce:- $GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] = 1;
- Leave $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] as default
- Switch to non-admin user
- Upload a file with special characters in the file name (äöüéàè etc.)
Kind regards
Nils
Files
Updated by Gerrit Code Review almost 10 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Gerrit Code Review almost 10 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Gerrit Code Review almost 10 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Mathias Brodala almost 10 years ago
Are you sure the upload fails with the default fileDenyPattern? The default value is \\.(php[3-6]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$ which would not deny files with umlauts.
Updated by Helmut Hummel almost 10 years ago
- Status changed from Under Review to Needs Feedback
Updated by Nils Blattner almost 10 years ago
Hi Mathias
Yes, it does fail with the default fileDenyPattern (just checked it again).
From reading a bit on the php.net pages and stackoverflow, I guess it depends on what libpcre is installed.
The system where I found it to be a problem uses the following PCRE version:
$ dpkg -l | grep -i pcre ii libpcre3:amd64 1:8.31-2ubuntu2 amd64 Perl 5 Compatible Regular Expression Library - runtime files
When matching UTF-8 strings or using an UTF-8 pattern, the "u"-modifier should be used:
http://php.net/manual/en/reference.pcre.pattern.modifiers.php#103348
It may well be that the unit test passed because a different version of libpcre ignores the fact, that the subject is utf8.
Kind regards
Nils
Updated by Alexander Opitz over 9 years ago
- Status changed from Needs Feedback to New
- Target version changed from next-patchlevel to 6.2.16
Updated by Gerrit Code Review over 9 years ago
- Status changed from New to Under Review
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/40518
Updated by Jens Jacobsen almost 8 years ago
- TYPO3 Version changed from 6.2 to 8
- PHP Version changed from 5.5 to 7.0
This bug is still there in 7.6 LTS and 8 LTS and in my case it's preventing a TYPO3 console command to add/edit files containing any UTF-8 character in special, even if the cli backend user has admin rights. If this whole contribute process would be easier to understand I maybe would supply a patch. For now I'm going to try patching the GeneralUtitlity class via Composer. The solution would be to add the u modifier only if the UTF8filesystem is enabled:
public static function verifyFilenameAgainstDenyPattern($filename)
{
$pattern = '/[[:cntrl:]]/';
if ((string)$filename !== '' && (string)$GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] !== '') {
$pattern = '/(?:[[:cntrl:]]|' . $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] . ')/i' .
((bool)$GLOBALS['TYPO3_CONF_VARS']['SYS']['UTF8filesystem'] ? 'u' : '');
}
return !preg_match($pattern, $filename);
}
Updated by Riccardo De Contardi over 7 years ago
- Target version deleted (
6.2.16)
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Mathias Brodala over 6 years ago
- Has duplicate Bug #85384: verifyFilenameAgainstDenyPattern doesn´t work with UTF-8 strings in Command added
Updated by Gerrit Code Review over 6 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 5 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/57389
Updated by Gerrit Code Review over 6 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/58772
Updated by Anonymous over 6 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 020d8cac4349663d551649644244723afefb594e.
Updated by Benni Mack almost 6 years ago
- Status changed from Resolved to Closed