Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[BUGFIX] Properly encode error messages in FileController
Invalid file names containing special characters like `<` or `>` are not correctly represented as text node. Error messages wrapped in an XML node need to be properly encoded. This was originally reported as a vulnerability, after analyzing the scenario, the TYPO3 Security Team came to the conclusion to handle it in public. It cannot be exploited directly without knowing the backend form protection token of a particular user session. Resolves: #98382 Releases: 11.5, 10.4 Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76349 Tested-by: core-ci <typo3@b13.com> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
- Loading branch information