Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check …

…files to be included (thanks to Fabrizio Branca) git-svn-id: https://svn.typo3.org/TYPO3v4/Core/branches/TYPO3_4-4@9774 709f56b5-9817-0410-a4d7-c38de5d9e867
TYPO3 · Dec 16, 2010 · e8e9261 · e8e9261
1 parent 9bb2fe6
commit e8e9261
Show file tree

Hide file tree

Showing 2 changed files with 15 additions and 10 deletions.
diff --git a/ChangeLog b/ChangeLog
@@ -1,6 +1,7 @@
 2010-12-16  Oliver Hader  <oliver@typo3.org>
 
 	* Fixed bug #14402: XSS in Install tool (thanks to Benjamin Mack)
+	* Fixed bug #16590: t3lib_TSparser::checkIncludeLines() does not check files to be included (thanks to Fabrizio Branca)
 
 2010-12-07  Christian Kuhn  <lolli@schwarzbu.ch>
 

diff --git a/t3lib/class.t3lib_tsparser.php b/t3lib/class.t3lib_tsparser.php
@@ -535,17 +535,21 @@ function checkIncludeLines($string, $cycle_counter=1, $returnFiles=false) {
 								case 'file':
 									$filename = t3lib_div::getFileAbsFileName(trim($sourceParts[1]));
 									if (strcmp($filename,''))	{	// Must exist and must not contain '..' and must be relative
-										if (@is_file($filename) && filesize($filename)<100000)	{	// Max. 100 KB include files!
-												// check for includes in included text
-											$includedFiles[] = $filename;
-											$included_text = self::checkIncludeLines(t3lib_div::getUrl($filename),$cycle_counter+1, $returnFiles);
-												// If the method also has to return all included files, merge currently included
-												// files with files included by recursively calling itself
-											if ($returnFiles && is_array($included_text)) {
-												$includedFiles = array_merge($includedFiles, $included_text['files']);
-												$included_text = $included_text['typoscript'];
+										if (t3lib_div::verifyFilenameAgainstDenyPattern($filename)) { // Check for allowed files
+											if (@is_file($filename) && filesize($filename)<100000)	{	// Max. 100 KB include files!
+													// check for includes in included text
+												$includedFiles[] = $filename;
+												$included_text = self::checkIncludeLines(t3lib_div::getUrl($filename),$cycle_counter+1, $returnFiles);
+													// If the method also has to return all included files, merge currently included
+													// files with files included by recursively calling itself
+												if ($returnFiles && is_array($included_text)) {
+													$includedFiles = array_merge($includedFiles, $included_text['files']);
+													$included_text = $included_text['typoscript'];
+												}
+												$newString.= $included_text.LF;
 											}
-											$newString.= $included_text.LF;
+										} else {
+											t3lib_div::sysLog('File "' . $filename . '" was not included since it is not allowed due to fileDenyPattern', 'Core', 2);
 										}
 									}
 								break;