Skip to content

Commit

Permalink
[SECURITY] Do not display full path to ENABLE_INSTALL_TOOL file
Browse files Browse the repository at this point in the history
Using the Install Tool in composer mode, the login
displays a hint, where the ENABLE_INSTALL_TOOL file
must be placed to unlock the Install Tool.

This hint does not show the full path anymore.
Only the path relative to the project root is shown.

Resolves: #102242
Releases: main, 12.4
Change-Id: I1e9cbfe3ef7d4cc6af9635da71d0c7450fe44aa6
Security-Bulletin: TYPO3-CORE-SA-2023-005
Security-References: CVE-2023-47126
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/81733
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
  • Loading branch information
liayn authored and ohader committed Nov 14, 2023
1 parent 3d982b3 commit 24b5f8d
Show file tree
Hide file tree
Showing 2 changed files with 10 additions and 3 deletions.
4 changes: 1 addition & 3 deletions typo3/sysext/install/Classes/Controller/LoginController.php
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@
use Psr\Http\Message\ResponseInterface;
use Psr\Http\Message\ServerRequestInterface;
use TYPO3\CMS\Core\Configuration\ConfigurationManager;
use TYPO3\CMS\Core\Core\Environment;
use TYPO3\CMS\Core\FormProtection\FormProtectionFactory;
use TYPO3\CMS\Core\Http\JsonResponse;
use TYPO3\CMS\Install\Service\EnableFileService;
Expand All @@ -42,8 +41,7 @@ public function __construct(
public function showEnableInstallToolFileAction(ServerRequestInterface $request): ResponseInterface
{
$view = $this->initializeView($request);
$path = str_replace(Environment::getPublicPath() . '/', '', dirname(EnableFileService::getBestLocationForInstallToolEnableFile())) . '/';
$view->assign('enableInstallToolPath', $path);
$view->assign('enableInstallToolPath', EnableFileService::getStaticLocationForInstallToolEnableFileDirectory());
return new JsonResponse([
'success' => true,
'html' => $view->render('Login/ShowEnableInstallToolFile'),
Expand Down
9 changes: 9 additions & 0 deletions typo3/sysext/install/Classes/Service/EnableFileService.php
Original file line number Diff line number Diff line change
Expand Up @@ -158,6 +158,15 @@ protected static function extendInstallToolEnableFileLifetime()
}
}

/**
* Returns a static directory path that is suitable to be presented to
* unauthenticated visitors, in order to circumvent "Full Path Disclosure" issues.
*/
public static function getStaticLocationForInstallToolEnableFileDirectory(): string
{
return Environment::isComposerMode() ? 'var/transient/' : 'typo3conf/';
}

public static function getBestLocationForInstallToolEnableFile(): string
{
$possibleLocations = [
Expand Down

0 comments on commit 24b5f8d

Please sign in to comment.