[SECURITY] Disallow invalid encoding in GeneralUtility::validPathStr
Directory names, which have an invalid UTF encoding, cause the preg_match() to return false. To avoid that the complete statement in GeneralUtility::validPathStr() returns true in this case, a strict comparison against 0 is added, so that we ensure that strings with invalid encodings are rejected by this API method. As a consequence UTF-16 encoded path names are rejected as well, if the system / file system does not support them. Resolves: #73453 Releases: master, 8.4, 7.6, 6.2 Security-Commit: c54aa56d18815aa1867ec54358ad419ea03ec205 Security-Bulletins: TYPO3-CORE-SA-2016-023, 024 Change-Id: Iedd6628050d8cdf2efe429bcd7b577f5a6d11805 Reviewed-on: https://review.typo3.org/50744 Reviewed-by:Oliver Hader <oliver.hader@typo3.org> Tested-by:
Showing
- composer.json 2 additions, 1 deletioncomposer.json
- composer.lock 2 additions, 2 deletionscomposer.lock
- typo3/sysext/core/Classes/Utility/GeneralUtility.php 1 addition, 2 deletionstypo3/sysext/core/Classes/Utility/GeneralUtility.php
- typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php 34 additions, 4 deletionstypo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php
Please register or sign in to comment