[BUGFIX] Properly encode error messages in FileController

Invalid file names containing special characters like `<` or `>` are not correctly represented as text node. Error messages wrapped in an XML node need to be properly encoded. This was originally reported as a vulnerability, after analyzing the scenario, the TYPO3 Security Team came to the conclusion to handle it in public. It cannot be exploited directly without knowing the backend form protection token of a particular user session. Resolves: #98382 Releases: 11.5, 10.4 Change-Id: Icd73de28ef3b702b45cbc8f232b5595b6fda127b Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/76349 Tested-by: core-ci <typo3@b13.com> Tested-by: Benni Mack <benni@typo3.org> Tested-by: Stefan Bürk <stefan@buerk.tech> Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Benni Mack <benni@typo3.org> Reviewed-by: Oliver Klee <typo3-coding@oliverklee.de> Reviewed-by: Stefan Bürk <stefan@buerk.tech> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Nov 2, 2022 · 3a3eace · 3a3eace
1 parent 203dc16
commit 3a3eace
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/typo3/sysext/backend/Classes/Controller/File/FileController.php b/typo3/sysext/backend/Classes/Controller/File/FileController.php
@@ -142,6 +142,7 @@ public function processAjaxRequest(ServerRequestInterface $request): ResponseInt
         $includeMessages = (bool)($request->getQueryParams()['includeMessages'] ?? false);
         $errors = $this->fileProcessor->getErrorMessages();
         if (!$includeMessages && !empty($errors)) {
+            $errors = array_map('htmlspecialchars', $errors);
             return (new HtmlResponse('<t3err>' . implode(',', $errors) . '</t3err>'))->withStatus(500, '(AJAX)');
         }
         $flatResult = [];