Uncaught TYPO3 Exception if TYPO3-PSA-2019-010 applied
The security advise "TYPO3-PSA-2019-010: Cross-Site Scripting Vulnerabilities in File Upload Handling" (https://typo3.org/security/advisory/typo3-psa-2019-010) advises among other things to add the
html file extension to the
TYPO3_CONF_VARS/BE/fileDenyPattern install tool setting.
If this is done, it seems that the register emailtemplate file of datamints_feuser can't be accessed anymore, because the following exception is shown in frontend:
Uncaught TYPO3 Exception #1375955429: You are not allowed to access that file: "datamints_feuser_mail.html" (More information) TYPO3\CMS\Core\Resource\Exception\InsufficientFileAccessPermissionsException thrown in file REMOVED\private\typo3\sysext\core\Classes\Resource\ResourceStorage.php in line 843.
In my scenario the user is registered, but instead of the success message in the frontend, the uncaught TYPO3 exception is shown and the adminapproval also doesn't work and the email to the admin are not sent.
Updated by Bernhard Baumgartl, datamints GmbH over 1 year ago
- Status changed from New to Needs Feedback
One possible solution could be to use another file suffix like '.tmpl' and block access to that suffix via '.htaccess'.
EDIT: Or remove '.html' from the blocked types and add a '.htaccess' rule.