[SECURITY] Enforce file extension and MIME-type consistency

The File Abstraction Layer (FAL) methods `addFile`, `renameFile`,
`replaceFile`, and `addUploadedFile` in `ResourceStorage` have
been enhanced to enforce consistency and security of file data.

Two validations are now applied:

* Only explicitly allowed file extensions are accepted.
  These must be configured in the TYPO3 global config under
  `$GLOBALS['TYPO3_CONF_VARS']['SYS']`:
  - `textfile_ext`
  - `mediafile_ext`
  - `miscfile_ext`
* A file's MIME-type must match the expected type for its
  extension. For example, uploading a PNG image as `image.exe`
  is disallowed.

The new configuration property `miscfile_ext` enables defining
extensions that don't logically fit into text or media groups
(e.g. `zip`, `xz`). Any extensions not configured are disallowed
by default.

New feature flags:

* `security.system.enforceAllowedFileExtensions`
  - Enforces the file extension allowlist.
  - Disabled by default in existing installations.
  - Enabled by default in new installations.
* `security.system.enforceFileExtensionMimeTypeConsistency`
  - Enforces consistency between file extension and MIME type.

For internal use cases, such as file imports via trusted
low-level system components, one-time exemptions can be declared
using a dedicated trait method.

Resolves: #106240
Releases: main, 13.4, 12.4
Change-Id: Ibfc5b97f65c817d1e2f281f619869a52bfbfef8d
Security-Bulletin: TYPO3-CORE-SA-2025-014
Security-References: CVE-2025-47939
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/89468
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

typo3/sysext/core/Classes/Localization/LabelBag.php

@@ -0,0 +1,57 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Localization;
+
+/**
+ * @internal
+ */
+final class LabelBag
+{
+    /**
+     * @var list<string>
+     */
+    public readonly array $arguments;
+
+    /**
+     * @param string $key e.g. `LLL:EXT:core/Resources/Private/Language/Labels.xlf:HelloWorld`
+     * @param string ...$arguments optional label arguments to be substituted
+     */
+    public function __construct(
+        public readonly string $key,
+        string ...$arguments
+    ) {
+        $this->arguments = $arguments;
+    }
+
+    /**
+     * Compiles the given label key and substituted label arguments if given.
+     */
+    public function compile(LanguageService $languageService): string
+    {
+        $label = $languageService->sL($this->key);
+        return sprintf(
+            $label,
+            ...$this->arguments
+        ) ?: sprintf(
+            'Error: could not translate key "%s" with value "%s" and %d argument(s)!',
+            $this->key,
+            $label,
+            count($this->arguments)
+        );
+    }
+}

typo3/sysext/core/Classes/Resource/OnlineMedia/Helpers/AbstractOnlineMediaHelper.php

@@ -23,10 +23,13 @@
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\Index\FileIndexRepository;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Resource\ResourceInstructionTrait;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 abstract class AbstractOnlineMediaHelper implements OnlineMediaHelperInterface
 {
+    use ResourceInstructionTrait;
+
     /**
      * Cached OnlineMediaIds [fileUid => id]
      *
@@ -113,6 +116,7 @@ protected function createNewFile(Folder $targetFolder, $fileName, $onlineMediaId
     {
         $temporaryFile = GeneralUtility::tempnam('online_media');
         GeneralUtility::writeFileToTypo3tempDir($temporaryFile, $onlineMediaId);
+        $this->skipResourceConsistencyCheckForCommands($targetFolder->getStorage(), $temporaryFile, $fileName);
         $file = $targetFolder->addFile($temporaryFile, $fileName, DuplicationBehavior::RENAME);
         return $file;
     }

typo3/sysext/core/Classes/Resource/ResourceInstructionTrait.php

@@ -0,0 +1,63 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Resource;
+
+use Psr\Http\Message\UploadedFileInterface;
+use TYPO3\CMS\Core\Resource\Service\ResourceConsistencyService;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\CMS\Core\Utility\PathUtility;
+
+/**
+ * Trait for creating skip-instructions for `ResourceConsistencyService::validate()`.
+ */
+trait ResourceInstructionTrait
+{
+    /**
+     * Registers an instruction to skip validation in `ResourceConsistencyService` for a specific uploaded file.
+     */
+    private function skipResourceConsistencyCheckForUploads(
+        ResourceStorage $storage,
+        array|UploadedFileInterface $uploadedFile,
+        ?string $targetFileName = null,
+    ): void {
+        GeneralUtility::makeInstance(ResourceConsistencyService::class)->addExceptionItem(
+            $storage,
+            $storage->getUploadedLocalFilePath($uploadedFile),
+            $storage->getUploadedTargetFileName($uploadedFile, $targetFileName),
+        );
+    }
+
+    /**
+     * Registers an instruction to skip validation in `ResourceConsistencyService`
+     * for commands (such as rename or replace) for existing files.
+     */
+    private function skipResourceConsistencyCheckForCommands(
+        ResourceStorage $storage,
+        string|FileInterface $resource,
+        ?string $targetFileName = null,
+    ): void {
+        $targetFileName ??= PathUtility::basename(
+            $resource instanceof FileInterface ? $resource->getName() : $resource
+        );
+        GeneralUtility::makeInstance(ResourceConsistencyService::class)->addExceptionItem(
+            $storage,
+            $resource,
+            $targetFileName
+        );
+    }
+}

typo3/sysext/core/Classes/Resource/ResourceStorage.php

@@ -91,11 +91,13 @@
 use TYPO3\CMS\Core\Resource\Search\Result\FileSearchResultInterface;
 use TYPO3\CMS\Core\Resource\Security\FileNameValidator;
 use TYPO3\CMS\Core\Resource\Service\FileProcessingService;
+use TYPO3\CMS\Core\Resource\Service\ResourceConsistencyService;
 use TYPO3\CMS\Core\Service\FlexFormService;
 use TYPO3\CMS\Core\Utility\Exception\NotImplementedMethodException;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\PathUtility;
 use TYPO3\CMS\Core\Utility\StringUtility;
+use TYPO3\CMS\Core\Validation\ResultException;
 
 /**
  * A "mount point" inside the TYPO3 file handling.
@@ -1070,6 +1072,14 @@ protected function assureFileCopyPermissions(FileInterface $file, FolderInterfac
         }
     }
 
+    /**
+     * @throws ResultException
+     */
+    protected function assureResourceConsistency(string|FileInterface $resource, string $fileName = ''): void
+    {
+        GeneralUtility::makeInstance(ResourceConsistencyService::class)->validate($this, $resource, $fileName);
+    }
+
     /**
      * Check if a file has the permission to be copied on a File/Folder/Storage,
      * if not throw an exception.
@@ -1182,6 +1192,7 @@ public function addFile(string $localFilePath, Folder $targetFolder, string $tar
         )->getFileName();
 
         $this->assureFileAddPermissions($targetFolder, $targetFileName);
+        $this->assureResourceConsistency($localFilePath, $targetFileName);
 
         $replaceExisting = false;
         if ($conflictMode === DuplicationBehavior::CANCEL && $this->driver->fileExistsInFolder($targetFileName, $targetFolder->getIdentifier())) {
@@ -1912,6 +1923,8 @@ public function renameFile(FileInterface $file, string $targetFileName, Duplicat
         }
 
         $this->assureFileRenamePermissions($file, $sanitizedTargetFileName);
+        $this->assureResourceConsistency($file, $sanitizedTargetFileName);
+
         $this->eventDispatcher->dispatch(
             new BeforeFileRenamedEvent($file, $sanitizedTargetFileName)
         );
@@ -1954,6 +1967,8 @@ public function renameFile(FileInterface $file, string $targetFileName, Duplicat
     public function replaceFile(FileInterface $file, string $localFilePath): FileInterface
     {
         $this->assureFileReplacePermissions($file);
+        $this->assureResourceConsistency($localFilePath, $file->getName());
+
         if (!file_exists($localFilePath)) {
             throw new \InvalidArgumentException('File "' . $localFilePath . '" does not exist.', 1325842622);
         }
@@ -1989,6 +2004,8 @@ public function addUploadedFile(array|UploadedFileInterface $uploadedFileData, ?
         $targetFolder ??= $this->getDefaultFolder();
 
         $this->assureFileUploadPermissions($localFilePath, $targetFolder, $targetFileName, $size);
+        $this->assureResourceConsistency($localFilePath, $targetFileName);
+
         if ($this->hasFileInFolder($targetFileName, $targetFolder) && $conflictMode === DuplicationBehavior::REPLACE) {
             $file = $this->getFileInFolder($targetFileName, $targetFolder);
             $resultObject = $this->replaceFile($file, $localFilePath);