Bug #67245

Prevent information disclosure in file list

Added by Nicole Cordes almost 5 years ago. Updated over 2 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
File Abstraction Layer (FAL)
Target version:
Start date:
2015-06-02
Due date:
% Done:

100%

TYPO3 Version:
6.2
PHP Version:
Tags:
Complexity:
Is Regression:
No
Sprint Focus:

Description

Currently the doc header title shows the full path to a folder even if you are in a mount point.


Related issues

Related to TYPO3 Core - Bug #73735: Error 500 (mem exhausted) when a user has multiple filemounts Closed 2016-02-29
Related to TYPO3 Core - Bug #75484: Error in file list module when having a read-only filemount for the same path as a normal filemount Rejected 2016-04-10

Associated revisions

Revision 3c75434c (diff)
Added by Nicole Cordes over 4 years ago

[BUGFIX] Prevent information disclosure in file list

Currently the doc header title of a folder shows the full path even
if the current folder is inside a mount point. This patch prevents
showing the full path by not disabling the permission check but catch
a thrown exception and return the path inside the mount point.

Resolves: #67245
Releases: master, 6.2
Change-Id: I6e5486e8c6f923decc4016b57ff60a562f189749
Reviewed-on: http://review.typo3.org/39898
Reviewed-by: Markus Klein <>
Tested-by: Harry Glatz <>
Reviewed-by: Susanne Moog <>
Tested-by: Susanne Moog <>

Revision d8468787 (diff)
Added by Nicole Cordes over 4 years ago

[BUGFIX] Prevent information disclosure in file list

Currently the doc header title of a folder shows the full path even
if the current folder is inside a mount point. This patch prevents
showing the full path by not disabling the permission check but catch
a thrown exception and return the path inside the mount point.

Resolves: #67245
Releases: master, 6.2
Change-Id: I6e5486e8c6f923decc4016b57ff60a562f189749
Reviewed-on: http://review.typo3.org/42588
Reviewed-by: Daniel Goerz <>
Tested-by: Daniel Goerz <>
Reviewed-by: Nicole Cordes <>
Tested-by: Nicole Cordes <>

History

#1 Updated by Gerrit Code Review almost 5 years ago

  • Status changed from New to Under Review

Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39898

#2 Updated by Benni Mack almost 5 years ago

  • Target version changed from 7.3 (Packages) to 7.4 (Backend)

#3 Updated by Gerrit Code Review over 4 years ago

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/39898

#4 Updated by Nicole Cordes over 4 years ago

  • Status changed from Under Review to Resolved
  • % Done changed from 0 to 100

#5 Updated by Gerrit Code Review over 4 years ago

  • Status changed from Resolved to Under Review

Patch set 1 for branch TYPO3_6-2 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at http://review.typo3.org/42588

#6 Updated by Nicole Cordes over 4 years ago

  • Status changed from Under Review to Resolved

#7 Updated by Lorenz Ulrich about 4 years ago

This change broke a project of ours: User with only limited access to files (through mountpoints) cannot use the file list anymore. When clicking a folder, TYPO3 runs into a memory leak and only serves a white page. Reverting the patch brings back normal behaviour.

#8 Updated by Riccardo De Contardi over 2 years ago

  • Status changed from Resolved to Closed

Also available in: Atom PDF