From 08011314eb18c111804d1d7fd74a47174ecc7a9d Mon Sep 17 00:00:00 2001
From: Marco Huber <mail@marco-huber.de>
Date: Tue, 19 Jan 2016 10:54:54 +0100
Subject: [PATCH] [BUGFIX] Denied file extensions still shown in upload forms
The list of denied file extensions does not contain a dot, but our
fileDenyPattern by default starts with a dot. Therefore, although a
check is performed, the file extensions will still be displayed even
though uploading files with the extension is forbidden by
fileDenyPattern.
This commit adds the dot before the extension when performing the
check, effectively hiding forbidden extensions.
Resolves: #72803
Releases: master, 7.6
Change-Id: I2ec3d02e096b46309932604a53ea4c416ba9812a
Reviewed-on: https://review.typo3.org/46072
Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>
---
.../Classes/Controller/File/CreateFolderController.php | 4 ++--
.../sysext/recordlist/Classes/View/FolderUtilityRenderer.php | 4 ++--
2 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
index 3f0000d34b49..87ef805aaaaa 100644
--- a/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
+++ b/typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php
@@ -223,7 +223,7 @@ class CreateFolderController extends AbstractModule
$fileExtList = array();
$onlineMediaFileExt = OnlineMediaHelperRegistry::getInstance()->getSupportedFileExtensions();
foreach ($onlineMediaFileExt as $fileExt) {
- if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+ if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
$fileExtList[] = '<span class="label label-success">' . strtoupper(htmlspecialchars($fileExt)) . '</span>';
}
}
@@ -262,7 +262,7 @@ class CreateFolderController extends AbstractModule
$fileExtList = array();
$textFileExt = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_CONF_VARS']['SYS']['textfile_ext'], true);
foreach ($textFileExt as $fileExt) {
- if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+ if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
$fileExtList[] = '<span class="label label-success">' . strtoupper(htmlspecialchars($fileExt)) . '</span>';
}
}
diff --git a/typo3/sysext/recordlist/Classes/View/FolderUtilityRenderer.php b/typo3/sysext/recordlist/Classes/View/FolderUtilityRenderer.php
index f578ad83c148..9ca30f278092 100644
--- a/typo3/sysext/recordlist/Classes/View/FolderUtilityRenderer.php
+++ b/typo3/sysext/recordlist/Classes/View/FolderUtilityRenderer.php
@@ -122,7 +122,7 @@ class FolderUtilityRenderer
// Create a list of allowed file extensions with the readable format "youtube, vimeo" etc.
$fileExtList = array();
foreach ($allowedExtensions as $fileExt) {
- if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+ if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
$fileExtList[] = '<span class="label label-success">'
. strtoupper(htmlspecialchars($fileExt)) . '</span>';
}
@@ -182,7 +182,7 @@ class FolderUtilityRenderer
$fileExtList = array();
$onlineMediaFileExt = OnlineMediaHelperRegistry::getInstance()->getSupportedFileExtensions();
foreach ($onlineMediaFileExt as $fileExt) {
- if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)
+ if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)
&& (empty($allowedExtensions) || in_array($fileExt, $allowedExtensions, true))
) {
$fileExtList[] = '<span class="label label-success">'
--
GitLab