Skip to content
Snippets Groups Projects
Commit bcae924d authored by Oliver Hader's avatar Oliver Hader Committed by Oliver Hader
Browse files

[BUGFIX] Properly encode error messages in FileController 

Invalid file names containing special characters like `<` or `>`
are not correctly represented as text node. Error messages wrapped
in an XML node need to be properly encoded.

This was originally reported as a vulnerability, after analyzing the
scenario, the TYPO3 Security Team came to the conclusion to handle it
in public. It cannot be exploited directly without knowing the backend
form protection token of a particular user session.

Resolves: #98382
Releases: 11.5, 10.4
Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76350


Tested-by: default avatarcore-ci <typo3@b13.com>
Tested-by: default avatarOliver Hader <oliver.hader@typo3.org>
Reviewed-by: default avatarOliver Klee <typo3-coding@oliverklee.de>
Reviewed-by: default avatarOliver Hader <oliver.hader@typo3.org>
parent 7e747470
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment