From 944d335b9e5a8faa97a37d1c6faeac4c31fc2163 Mon Sep 17 00:00:00 2001
From: Helmut Hummel <helmut.hummel@typo3.org>
Date: Mon, 2 Jun 2014 20:16:07 +0200
Subject: [PATCH] [BUGFIX] Guard FAL API when called with invalid identifiers

When calling ResourceFactory::getInstance()
->getFileObjectFromCombinedIdentifier($identifier)
with $identifier === NULL or $identifier === ''
an index entry is written for storage 0 which contains the
last path segment of PATH_site as identifier.

Guard the API in two places by throwing exceptions
when an invalid file identifier is given.

Resolves: #59295
Releases: 6.2
Change-Id: Ie2d6d811193ee21b865161984ddbac240388573b
Reviewed-on: https://review.typo3.org/30526
Reviewed-by: Fabien Udriot
Tested-by: Fabien Udriot
Reviewed-by: Steffen Ritter
Tested-by: Steffen Ritter
---
 typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php | 2 +-
 typo3/sysext/core/Classes/Resource/Index/Indexer.php      | 4 ++++
 typo3/sysext/core/Classes/Resource/ResourceFactory.php    | 4 ++++
 3 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
index 5a19f633d09f..8516b764d3bd 100644
--- a/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
+++ b/typo3/sysext/core/Classes/Resource/Driver/LocalDriver.php
@@ -267,7 +267,7 @@ class LocalDriver extends AbstractHierarchicalFilesystemDriver {
 		$absoluteFilePath = $this->getAbsolutePath($fileIdentifier);
 		// don't use $this->fileExists() because we need the absolute path to the file anyways, so we can directly
 		// use PHP's filesystem method.
-		if (!file_exists($absoluteFilePath)) {
+		if (!file_exists($absoluteFilePath) || !is_file($absoluteFilePath)) {
 			throw new \InvalidArgumentException('File ' . $fileIdentifier . ' does not exist.', 1314516809);
 		}
 		return $this->extractFileInformation($absoluteFilePath, $dirPath, $propertiesToExtract);
diff --git a/typo3/sysext/core/Classes/Resource/Index/Indexer.php b/typo3/sysext/core/Classes/Resource/Index/Indexer.php
index 898879fee658..d7930b75c19b 100644
--- a/typo3/sysext/core/Classes/Resource/Index/Indexer.php
+++ b/typo3/sysext/core/Classes/Resource/Index/Indexer.php
@@ -62,8 +62,12 @@ class Indexer {
 	 *
 	 * @param string $identifier
 	 * @return File
+	 * @throws \InvalidArgumentException
 	 */
 	public function createIndexEntry($identifier) {
+		if (!isset($identifier) || !is_string($identifier) || $identifier === '') {
+			throw new \InvalidArgumentException('Invalid file identifier given. It must be of type string and not empty. "' . gettype($identifier) . '" given.', 1401732565);
+		}
 		$fileProperties = $this->gatherFileInformationArray($identifier);
 		$record = $this->getFileIndexRepository()->addRaw($fileProperties);
 		$fileObject = $this->getResourceFactory()->getFileObject($record['uid'], $record);
diff --git a/typo3/sysext/core/Classes/Resource/ResourceFactory.php b/typo3/sysext/core/Classes/Resource/ResourceFactory.php
index 433f780b0a8d..2191ec039688 100644
--- a/typo3/sysext/core/Classes/Resource/ResourceFactory.php
+++ b/typo3/sysext/core/Classes/Resource/ResourceFactory.php
@@ -370,8 +370,12 @@ class ResourceFactory implements ResourceFactoryInterface, \TYPO3\CMS\Core\Singl
 	 *
 	 * @param string $identifier
 	 * @return File
+	 * @throws \InvalidArgumentException
 	 */
 	public function getFileObjectFromCombinedIdentifier($identifier) {
+		if (!isset($identifier) || !is_string($identifier) || $identifier === '') {
+			throw new \InvalidArgumentException('Invalid file identifier given. It must be of type string and not empty. "' . gettype($identifier) . '" given.', 1401732564);
+		}
 		$parts = GeneralUtility::trimExplode(':', $identifier);
 		if (count($parts) === 2) {
 			$storageUid = $parts[0];
-- 
GitLab