Skip to content
Commit b47b6ddf authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[SECURITY] Deny directly modifying file abstraction layer entities 

Write access to table `sys_file` is denied per default, unless data
is being imported. In addition, write access to related FAL entities
`sys_file_reference` and `sys_file_metadata` is denied in case a file
on legacy storage (uid=0) is used or corresponding user does not have
permissions to access a particular file.

Resolves: #93969
Releases: main, 13.0, 12.4, 11.5
Change-Id: Ic8ac7132d732bd117aa63f6a33545ceb1d1f421d
Security-Bulletin: TYPO3-CORE-SA-2024-006
Security-References: CVE-2024-25121
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82950


Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 33f4d279
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment