[SECURITY] Avoid DoS in Online Media Helper

Using large media files (*.youtube, *.vimeo in the TYPO3 core) might lead to denial of service scenarios. In order to avoid that, media files are limited to have a content size of 2048 bytes as a maximum. Usually these files contain just the remote identifier - thus, ~20 bytes should have been sufficient already. Resolves: #85381 Releases: master, 8.7, 7.6 Security-Commit: 36c64c45461dee1c4018b7c72a989952d1e2dd45 Security-Bulletin: TYPO3-CORE-SA-2018-011 Change-Id: Ib54cd9ab822ee33a44170822cc0a3c4da4132c95 Reviewed-on: https://review.typo3.org/59105 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3-CMS · Dec 11, 2018 · 9b2ecd2 · 9b2ecd2
1 parent 3c1deac
commit 9b2ecd2
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php b/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php
@@ -60,6 +60,10 @@ public function __construct($extension)
     public function getOnlineMediaId(File $file)
     {
         if (!isset($this->onlineMediaIdCache[$file->getUid()])) {
+            // Limiting media identifier to 2048 bytes
+            if ($file->getSize() > 2048) {
+                return '';
+            }
             // By definition these files only contain the ID of the remote media source
             $this->onlineMediaIdCache[$file->getUid()] = trim($file->getContents());
         }