[BUGFIX] Guard FAL API when called with invalid identifiers

When calling ResourceFactory::getInstance() ->getFileObjectFromCombinedIdentifier($identifier) with $identifier === NULL or $identifier === '' an index entry is written for storage 0 which contains the last path segment of PATH_site as identifier. Guard the API in two places by throwing exceptions when an invalid file identifier is given. Resolves: #59295 Releases: 6.2 Change-Id: Ie2d6d811193ee21b865161984ddbac240388573b Reviewed-on: https://review.typo3.org/30526 Reviewed-by: Fabien Udriot Tested-by: Fabien Udriot Reviewed-by: Steffen Ritter Tested-by: Steffen Ritter

[BUGFIX] Guard FAL API when called with invalid identifiers
When calling ResourceFactory::getInstance() ->getFileObjectFromCombinedIdentifier($identifier) with $identifier === NULL or $identifier === '' an index entry is written for storage 0 which contains the last path segment of PATH_site as identifier. Guard the API in two places by throwing exceptions when an invalid file identifier is given. Resolves: #59295 Releases: 6.2 Change-Id: Ie2d6d811193ee21b865161984ddbac240388573b Reviewed-on: https://review.typo3.org/30526 Reviewed-by: Fabien Udriot Tested-by: Fabien Udriot Reviewed-by: Steffen Ritter Tested-by: Steffen Ritter
944d335b · Helmut Hummel · Steffen Ritter · 1682401c · 944d335b · 944d335b
Commit 944d335b authored 10 years ago by Helmut Hummel Committed by Steffen Ritter 10 years ago
--- a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
+++ b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
@@ -267,7 +267,7 @@ class LocalDriver extends AbstractHierarchicalFilesystemDriver {
 		$absoluteFilePath = $this->getAbsolutePath($fileIdentifier);
 		// don't use $this->fileExists() because we need the absolute path to the file anyways, so we can directly
 		// use PHP's filesystem method.
-		if (!file_exists($absoluteFilePath)) {
+		if (!file_exists($absoluteFilePath) || !is_file($absoluteFilePath)) {
 			throw new \InvalidArgumentException('File ' . $fileIdentifier . ' does not exist.', 1314516809);
 		}
 		return $this->extractFileInformation($absoluteFilePath, $dirPath, $propertiesToExtract);

--- a/typo3/sysext/core/Classes/Resource/Index/Indexer.php
+++ b/typo3/sysext/core/Classes/Resource/Index/Indexer.php
@@ -62,8 +62,12 @@ class Indexer {
 	 *
 	 * @param string $identifier
 	 * @return File
+	 * @throws \InvalidArgumentException
 	 */
 	public function createIndexEntry($identifier) {
+		if (!isset($identifier) || !is_string($identifier) || $identifier === '') {
+			throw new \InvalidArgumentException('Invalid file identifier given. It must be of type string and not empty. "' . gettype($identifier) . '" given.', 1401732565);
+		}
 		$fileProperties = $this->gatherFileInformationArray($identifier);
 		$record = $this->getFileIndexRepository()->addRaw($fileProperties);
 		$fileObject = $this->getResourceFactory()->getFileObject($record['uid'], $record);

--- a/typo3/sysext/core/Classes/Resource/ResourceFactory.php
+++ b/typo3/sysext/core/Classes/Resource/ResourceFactory.php
@@ -370,8 +370,12 @@ class ResourceFactory implements ResourceFactoryInterface, \TYPO3\CMS\Core\Singl
 	 *
 	 * @param string $identifier
 	 * @return File
+	 * @throws \InvalidArgumentException
 	 */
 	public function getFileObjectFromCombinedIdentifier($identifier) {
+		if (!isset($identifier) || !is_string($identifier) || $identifier === '') {
+			throw new \InvalidArgumentException('Invalid file identifier given. It must be of type string and not empty. "' . gettype($identifier) . '" given.', 1401732564);
+		}
 		$parts = GeneralUtility::trimExplode(':', $identifier);
 		if (count($parts) === 2) {
 			$storageUid = $parts[0];