From 51bbb9714c5d42b271e0e8dc583d8cdd1f2b7cfd Mon Sep 17 00:00:00 2001
From: Andreas Fernandez <a.fernandez@scripting-base.de>
Date: Tue, 17 Dec 2019 10:52:59 +0100
Subject: [PATCH] [SECURITY] XSS in file list through file extension
FAL currently filters invalid characters from file names stored by its
API. However, this sanitization took no effect when the file was placed
by e.g. uploads via FTP, which doesn't trigger FAL.
This patch adds a missing `htmlspecialchars` call when the file
extension is rendered and could not be sanitized before due to mentioned
circumstances.
Resolves: #88931
Releases: master, 9.5, 8.7
Security-Commit: 296c6a6723826b4ad2babbb1de5b9d23dfd256ea
Security-Bulletin: TYPO3-CORE-SA-2019-023
Change-Id: I24cbc623f6390944a608eadf3ebe7a13d294e0ae
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62717
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
---
typo3/sysext/filelist/Classes/FileList.php | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/typo3/sysext/filelist/Classes/FileList.php b/typo3/sysext/filelist/Classes/FileList.php
index 91b9865e5698..ce4638012690 100644
--- a/typo3/sysext/filelist/Classes/FileList.php
+++ b/typo3/sysext/filelist/Classes/FileList.php
@@ -1003,7 +1003,7 @@ class FileList
$theData[$field] = '' . (!$fileObject->checkActionPermission('read') ? ' ' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('read')) . '</strong>') . (!$fileObject->checkActionPermission('write') ? '' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('write')) . '</strong>');
break;
case 'fileext':
- $theData[$field] = strtoupper($ext);
+ $theData[$field] = htmlspecialchars(strtoupper($ext));
break;
case 'tstamp':
$theData[$field] = BackendUtility::date($fileObject->getModificationTime());
--
GitLab