[!!!][SECURITY] Enforce absolute path checks in FAL local driver (78fb9287) · Commits · TYPO3 / TYPO3.CMS

Commit 78fb9287 authored 1 year ago by

Oliver Hader Committed by Oliver Hader 1 year ago

[!!!][SECURITY] Enforce absolute path checks in FAL local driver

The File Abstraction Layer Local Driver did not verify whether
a given absolute file path is allowed, and made it possible to
access files outside of the project path, and to by-pass the
setting in $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'].

In case lockRootPath is not set, any local file path must be
at least located in the base directory of the current project.

The lockRootPath setting now supports array values as well.

The trailing slash is enforced automatically. Example:
* instead of 'lockRootPath=/var/spe' previously matching
  the paths '/var/specs/'  and '/var/specials/,
* now both paths need to be declared explicitly, since
  'lockRootPath=/var/spe' is evaluated as '/var/spe/'

Resolves: #102800
Releases: main, 13.0, 12.4, 11.5
Change-Id: I6561df562c5dbaff1f77d33db24d5f1c6358b198
Security-Bulletin: TYPO3-CORE-SA-2024-001
Security-References: CVE-2023-30451
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82945


Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

parent e72b7c6c

No related merge requests found

Hide whitespace changes

Inline Side-by-side

Showing with 127 additions and 7 deletions

Please register or to comment