[SECURITY] Disallow access to fallback storage '0'

All users with access to the filelist module are able to display the content of the document root folder by spoofing the url. This patch prevents any rendering from that storage and throws an error. Resolves: #67538 Releases: master, 6.2 Security-Bulletin: TYPO3-CORE-SA-2015-005 Change-Id: Ia503c572e550aaa3e74ffbaf3da87796ad04723a Reviewed-on: http://review.typo3.org/40815 Reviewed-by: Helmut Hummel <helmut.hummel@typo3.org> Tested-by: Helmut Hummel <helmut.hummel@typo3.org> Reviewed-by: Benjamin Mack <benni@typo3.org> Tested-by: Benjamin Mack <benni@typo3.org>
TYPO3 · Jul 1, 2015 · d9caccb · d9caccb
1 parent d7feb40
commit d9caccb
Showing 1 changed file with 6 additions and 2 deletions.
diff --git a/typo3/sysext/filelist/Classes/Controller/FileListController.php b/typo3/sysext/filelist/Classes/Controller/FileListController.php
@@ -142,6 +142,7 @@ public function __construct() {
 	 *
 	 * @return void
 	 * @throws \RuntimeException
+	 * @throws Exception\InsufficientFolderAccessPermissionsException
 	 */
 	public function init() {
 		// Setting GPvars:
@@ -163,9 +164,12 @@ public function init() {
 				}
 
 				$this->folderObject = $fileFactory->getFolderObjectFromCombinedIdentifier($storage->getUid() . ':' . $identifier);
+				// Disallow access to fallback storage 0
+				if ($storage->getUid() === 0) {
+					throw new Exception\InsufficientFolderAccessPermissionsException('You are not allowed to access files outside your storages', 1434539815);
+				}
 				// Disallow the rendering of the processing folder (e.g. could be called manually)
-				// and all folders without any defined storage
-				if ($this->folderObject && ($storage->getUid() === 0 || $storage->isProcessingFolder($this->folderObject))) {
+				if ($this->folderObject && $storage->isProcessingFolder($this->folderObject)) {
 					$this->folderObject = $storage->getRootLevelFolder();
 				}
 			} else {