Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[!!!][SECURITY] Enforce absolute path checks in FAL local driver
The File Abstraction Layer Local Driver did not verify whether a given absolute file path is allowed, and made it possible to access files outside of the project path, and to by-pass the setting in $GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']. In case lockRootPath is not set, any local file path must be at least located in the base directory of the current project. The lockRootPath setting now supports array values as well. The trailing slash is enforced automatically. Example: * instead of 'lockRootPath=/var/spe' previously matching the paths '/var/specs/' and '/var/specials/, * now both paths need to be declared explicitly, since 'lockRootPath=/var/spe' is evaluated as '/var/spe/' Resolves: #102800 Releases: main, 13.0, 12.4, 11.5 Change-Id: I6561df562c5dbaff1f77d33db24d5f1c6358b198 Security-Bulletin: TYPO3-CORE-SA-2024-001 Security-References: CVE-2023-30451 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82951 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information
Showing
8 changed files
with
127 additions
and
7 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
39 changes: 39 additions & 0 deletions
39
...0-FileAbstractionLayerEnforcesAbsolutePathsToMatchProjectRootOrLockRootPath.rst
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,39 @@ | ||
.. include:: /Includes.rst.txt | ||
|
||
.. _important-102800-1707409544: | ||
|
||
========================================================================================================= | ||
Important: #102800 - File Abstraction Layer enforces absolute paths to match project root or lockRootPath | ||
========================================================================================================= | ||
|
||
See :issue:`102800` | ||
|
||
Description | ||
=========== | ||
|
||
|
||
The File Abstraction Layer Local Driver has been adapted to verify whether a | ||
given absolute file path is allowed in order to prevent access to files outside | ||
the project root or to the additional root path restrictions defined in | ||
:php:`$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']`. | ||
|
||
The option :php:`$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']` has been | ||
extended to support an array of root path prefixes to allow for multiple storages | ||
to be listed. Beware that trailing slashes are enforced automatically. | ||
|
||
It is suggested to use the new array-based syntax, which will be applied automatically | ||
once this setting is updated via Install Tool Configuration Wizard: | ||
|
||
.. code-block:: php | ||
// Before | ||
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = '/var/extra-storage'; | ||
// After | ||
$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath'] = [ | ||
'/var/extra-storage1/', | ||
'/var/extra-storage2/', | ||
]; | ||
.. index:: FAL, LocalConfiguration, ext:core |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters