[SECURITY] Deny directly modifying file abstraction layer entities (b47b6ddf) · Commits · TYPO3 / TYPO3.CMS

Commit b47b6ddf authored 1 year ago by

Oliver Hader Committed by Oliver Hader 1 year ago

[SECURITY] Deny directly modifying file abstraction layer entities

Write access to table `sys_file` is denied per default, unless data
is being imported. In addition, write access to related FAL entities
`sys_file_reference` and `sys_file_metadata` is denied in case a file
on legacy storage (uid=0) is used or corresponding user does not have
permissions to access a particular file.

Resolves: #93969
Releases: main, 13.0, 12.4, 11.5
Change-Id: Ic8ac7132d732bd117aa63f6a33545ceb1d1f421d
Security-Bulletin: TYPO3-CORE-SA-2024-006
Security-References: CVE-2024-25121
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82950


Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

parent 33f4d279

Branches