[SECURITY] Prevent edit of file metadata of files with no access
By forging edit URLs it was possible to edit meta data records of files which were not within a user mount. Implement several hooks to check access to the file and only grant access to a meta data record if the user has access to the file. Resolves: #56644 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-002 Change-Id: I0f0704af2e7f01d16b9420f9ba4ac1a7846b5270 Reviewed-on: http://review.typo3.org/40804 Reviewed-by:Benjamin Mack <benni@typo3.org> Tested-by:
Helmut Hummel <helmut.hummel@typo3.org> Tested-by:
Showing
- typo3/sysext/backend/Classes/Form/Container/InlineRecordContainer.php 14 additions, 0 deletions.../backend/Classes/Form/Container/InlineRecordContainer.php
- typo3/sysext/core/Classes/Resource/Security/FileMetadataPermissionsAspect.php 169 additions, 0 deletions...asses/Resource/Security/FileMetadataPermissionsAspect.php
- typo3/sysext/core/Documentation/Changelog/master/Feature-56644-AddHookToInlineRecordContainerCheckAccess.rst 18 additions, 0 deletions...ature-56644-AddHookToInlineRecordContainerCheckAccess.rst
- typo3/sysext/core/ext_localconf.php 7 additions, 0 deletionstypo3/sysext/core/ext_localconf.php
Please register or sign in to comment