[SECURITY] Avoid DoS in Online Media Helper

Using large media files (*.youtube, *.vimeo in the TYPO3 core) might lead to denial of service scenarios. In order to avoid that, media files are limited to have a content size of 2048 bytes as a maximum. Usually these files contain just the remote identifier - thus, ~20 bytes should have been sufficient already. Resolves: #85381 Releases: master, 8.7, 7.6 Security-Commit: 38eec2deace776ed34d30b8e1e5e95fffec5db8a Security-Bulletin: TYPO3-CORE-SA-2018-011 Change-Id: I0af4f27e2de6db43c2801f1f3143c9cdb6e21867 Reviewed-on: https://review.typo3.org/59097 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3-CMS · Dec 11, 2018 · aa2dcb3 · aa2dcb3
1 parent 983ecc4
commit aa2dcb3
Showing 1 changed file with 4 additions and 0 deletions.
diff --git a/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php b/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php
@@ -59,6 +59,10 @@ public function __construct($extension)
     public function getOnlineMediaId(File $file)
     {
         if (!isset($this->onlineMediaIdCache[$file->getUid()])) {
+            // Limiting media identifier to 2048 bytes
+            if ($file->getSize() > 2048) {
+                return '';
+            }
             // By definition these files only contain the ID of the remote media source
             $this->onlineMediaIdCache[$file->getUid()] = trim($file->getContents());
         }