From a9b64f1205ad338c245f6c5d3cc7eca2fc74526a Mon Sep 17 00:00:00 2001
From: Benni Mack <benni@typo3.org>
Date: Fri, 13 Dec 2019 17:06:06 +0100
Subject: [PATCH] [TASK] Simplify checks on Import about allowed filenames

In TYPO3 v10, BasicFileUtility is not used by DataHandler anymore,
and never initialized with other file permissions than "allow
any file ending", which is why the simple check on the fileDenyPattern
can be used directly in Import functionality.

The next patch would then allow to clean up BasicFileUtility
where the methods which belong to "internal_type=file" are not in use
anymore.

Resolves: #89941
Releases: master
Change-Id: I58a28a1cd1f6d284d241479a324c877a2824e7bb
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62627
Tested-by: TYPO3com <noreply@typo3.com>
Tested-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Tested-by: Susanne Moog <look@susi.dev>
Reviewed-by: Georg Ringer <georg.ringer@gmail.com>
Reviewed-by: Anja Leichsenring <aleichsenring@ab-softlab.de>
Reviewed-by: Susanne Moog <look@susi.dev>
---
 typo3/sysext/impexp/Classes/Import.php       | 2 +-
 typo3/sysext/impexp/Classes/ImportExport.php | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/typo3/sysext/impexp/Classes/Import.php b/typo3/sysext/impexp/Classes/Import.php
index daa955e2f1aa..54f62433e12c 100644
--- a/typo3/sysext/impexp/Classes/Import.php
+++ b/typo3/sysext/impexp/Classes/Import.php
@@ -1543,7 +1543,7 @@ class Import extends ImportExport
             }
         }
         $fI = GeneralUtility::split_fileref($fileName);
-        if (!$fileProcObj->checkIfAllowed($fI['fileext'], $fI['path'], $fI['file'])) {
+        if (!GeneralUtility::verifyFilenameAgainstDenyPattern($fI['file'])) {
             $this->error('ERROR: Filename "' . $fileName . '" failed against extension check or deny-pattern!');
             return false;
         }
diff --git a/typo3/sysext/impexp/Classes/ImportExport.php b/typo3/sysext/impexp/Classes/ImportExport.php
index 4ea1d3630533..558db39664c0 100644
--- a/typo3/sysext/impexp/Classes/ImportExport.php
+++ b/typo3/sysext/impexp/Classes/ImportExport.php
@@ -764,7 +764,7 @@ abstract class ImportExport
                 $fileProcObj = $this->getFileProcObj();
                 if ($fileProcObj->actionPerms['addFile']) {
                     $testFI = GeneralUtility::split_fileref(Environment::getPublicPath() . '/' . $fI['relFileName']);
-                    if (!$fileProcObj->checkIfAllowed($testFI['fileext'], $testFI['path'], $testFI['file'])) {
+                    if (!GeneralUtility::verifyFilenameAgainstDenyPattern($testFI['file'])) {
                         $pInfo['msg'] .= 'File extension was not allowed!';
                     }
                 } else {
-- 
GitLab