[SECURITY] XSS in file list through file extension

FAL currently filters invalid characters from file names stored by its API. However, this sanitization took no effect when the file was placed by e.g. uploads via FTP, which doesn't trigger FAL. This patch adds a missing `htmlspecialchars` call when the file extension is rendered and could not be sanitized before due to mentioned circumstances. Resolves: #88931 Releases: master, 9.5, 8.7 Security-Commit: 6f1816c5d0d5bcc3f3c986b8a5f4ee1ee63beb34 Security-Bulletin: TYPO3-CORE-SA-2019-023 Change-Id: I2e4297110c81fcee17d0c5b08ac06910ab754989 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/62705 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Dec 17, 2019 · fcc1bab · fcc1bab
1 parent 64db88b
commit fcc1bab
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/typo3/sysext/filelist/Classes/FileList.php b/typo3/sysext/filelist/Classes/FileList.php
@@ -1054,7 +1054,7 @@ public function formatFileList(array $files)
                         $theData[$field] = '' . (!$fileObject->checkActionPermission('read') ? ' ' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('read')) . '</strong>') . (!$fileObject->checkActionPermission('write') ? '' : '<strong class="text-danger">' . htmlspecialchars($this->getLanguageService()->getLL('write')) . '</strong>');
                         break;
                     case 'fileext':
-                        $theData[$field] = strtoupper($ext);
+                        $theData[$field] = htmlspecialchars(strtoupper($ext));
                         break;
                     case 'tstamp':
                         $theData[$field] = BackendUtility::date($fileObject->getModificationTime());