Bug #83029
closed
GIFBUILDER files cannot be delivered via web server
100%
Description
GIFBUILDER uses provided file names and text snippets in order to generate the final name for files to be written to. In case text snippets start with a dot, this is also reflected into the file name - preventing some web servers to deliver the file since it's considered to be internal.
Since directory separators are correctly converted there are no security vulnerabilities.
TypoScript:
page.20 = IMAGE
page.20.file = GIFBUILDER
page.20.file {
XY = [10.w]+10, [10.h]+10
backColor = #cc0000
10 = TEXT
10.text = .hello
10.fontColor = #000000
10.fontSize = 20
10.offset = 0,20
}
Updated by Gerrit Code Review about 7 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54677
Updated by Gerrit Code Review about 7 years ago
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/54712
Updated by Oliver Hader about 7 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 5dde3a363b14dc0c24972b547f14f3a1e0924d71.
Updated by