[SECURITY] Prevent arbitrary access to privileged resources via t3://

bnf · ohader · commit 33f4d279b82b · 2024-02-13T10:06:21.000+01:00
Resolves: #93571 Releases: main, 13.0, 12.4, 11.5 Change-Id: I9622bfa47ef9637cecaff4a790f742445f598682 Security-Bulletin: TYPO3-CORE-SA-2024-005 Security-References: CVE-2024-25120 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/82949 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/backend/Classes/Backend/Shortcut/ShortcutRepository.php b/typo3/sysext/backend/Classes/Backend/Shortcut/ShortcutRepository.php
@@ -405,7 +405,7 @@ protected function initShortcuts(): array
                 $combinedIdentifier = (string)($arguments['id'] ?? '');
                 if ($combinedIdentifier !== '') {
                     $storage = GeneralUtility::makeInstance(StorageRepository::class)->findByCombinedIdentifier($combinedIdentifier);
-                    if ($storage === null || $storage->getUid() === 0) {
+                    if ($storage === null || $storage->isFallbackStorage()) {
                         // Continue, if invalid storage or disallowed fallback storage
                         continue;
                     }
diff --git a/typo3/sysext/backend/Classes/Controller/LinkController.php b/typo3/sysext/backend/Classes/Controller/LinkController.php
@@ -56,7 +56,7 @@ public function resourceAction(ServerRequestInterface $request): ResponseInterfa
             if (!$resource instanceof File && !$resource instanceof Folder) {
                 throw new \InvalidArgumentException('Resource must be a file or a folder', 1679039649);
             }
-            if ($resource->getStorage()->getUid() === 0) {
+            if ($resource->getStorage()->isFallbackStorage()) {
                 throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1679039650);
             }
             if ($resource instanceof File) {
diff --git a/typo3/sysext/backend/Classes/Controller/Resource/ResourceController.php b/typo3/sysext/backend/Classes/Controller/Resource/ResourceController.php
@@ -54,7 +54,7 @@ public function renameResourceAction(ServerRequestInterface $request): ResponseI
             if (!$origin instanceof File && !$origin instanceof Folder) {
                 throw new \InvalidArgumentException('Resource must be a file or a folder', 1676979120);
             }
-            if ($origin->getStorage()->getUid() === 0) {
+            if ($origin->getStorage()->isFallbackStorage()) {
                 throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1676299579);
             }
             if (!$origin->checkActionPermission('rename')) {
diff --git a/typo3/sysext/backend/Classes/Form/Element/LinkElement.php b/typo3/sysext/backend/Classes/Form/Element/LinkElement.php
@@ -31,6 +31,7 @@
 use TYPO3\CMS\Core\Resource\Exception\InvalidPathException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\Folder;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
 use TYPO3\CMS\Core\Utility\StringUtility;
@@ -335,10 +336,12 @@ protected function getLinkExplanation(string $itemValue): array
             }
         }
 
+        $backendUser = $this->getBackendUser();
         // Resolve the actual link
         switch ($linkData['type']) {
             case LinkService::TYPE_PAGE:
-                $pageRecord = BackendUtility::readPageAccess($linkData['pageuid'] ?? null, '1=1');
+                $pagePermissionClause = $backendUser->getPagePermsClause(Permission::PAGE_SHOW);
+                $pageRecord = BackendUtility::readPageAccess($linkData['pageuid'] ?? null, $pagePermissionClause);
                 // Is this a real page
                 if ($pageRecord['uid'] ?? 0) {
                     $fragmentTitle = '';
@@ -372,7 +375,7 @@ protected function getLinkExplanation(string $itemValue): array
                 break;
             case LinkService::TYPE_FILE:
                 $file = $linkData['file'] ?? null;
-                if ($file instanceof File) {
+                if ($file instanceof File && $file->checkActionPermission('read') && !$file->getStorage()->isFallbackStorage()) {
                     $data = [
                         'text' => $file->getPublicUrl(),
                         'icon' => $this->iconFactory->getIconForFileExtension($file->getExtension(), Icon::SIZE_SMALL)->render(),
@@ -381,7 +384,7 @@ protected function getLinkExplanation(string $itemValue): array
                 break;
             case LinkService::TYPE_FOLDER:
                 $folder = $linkData['folder'] ?? null;
-                if ($folder instanceof Folder) {
+                if ($folder instanceof Folder && $folder->checkActionPermission('read') && !$folder->getStorage()->isFallbackStorage()) {
                     $data = [
                         'text' => $folder->getPublicUrl(),
                         'icon' => $this->iconFactory->getIcon('apps-filetree-folder-default', Icon::SIZE_SMALL)->render(),
@@ -391,7 +394,9 @@ protected function getLinkExplanation(string $itemValue): array
             case LinkService::TYPE_RECORD:
                 $table = $this->data['pageTsConfig']['TCEMAIN.']['linkHandler.'][$linkData['identifier'] . '.']['configuration.']['table'] ?? '';
                 $record = BackendUtility::getRecord($table, $linkData['uid']);
-                if ($record) {
+                $pagePermissionClause = $backendUser->getPagePermsClause(Permission::PAGE_SHOW);
+                $hasPageAccess = BackendUtility::readPageAccess($record['pid'] ?? null, $pagePermissionClause) !== false;
+                if ($record && $hasPageAccess && $backendUser->check('tables_select', $table)) {
                     $recordTitle = BackendUtility::getRecordTitle($table, $record);
                     $tableTitle = $this->getLanguageService()->sL($GLOBALS['TCA'][$table]['ctrl']['title']);
                     $data = [
diff --git a/typo3/sysext/backend/Classes/LinkHandler/PageLinkHandler.php b/typo3/sysext/backend/Classes/LinkHandler/PageLinkHandler.php
@@ -25,6 +25,7 @@
 use TYPO3\CMS\Core\Domain\Repository\PageRepository;
 use TYPO3\CMS\Core\Imaging\Icon;
 use TYPO3\CMS\Core\LinkHandling\LinkService;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
 
@@ -87,11 +88,19 @@ public function formatCurrentUrl()
         $titleLen = (int)$this->getBackendUser()->uc['titleLen'];
 
         $id = (int)$this->linkParts['url']['pageuid'];
-        $pageTitle = BackendUtility::getRecordWSOL('pages', $id, 'title')['title'] ?? '';
 
+        $idInfo = 'ID: ' . $id . (!empty($this->linkParts['url']['fragment']) ? ', #' . $this->linkParts['url']['fragment'] : '');
+
+        $permsClause = $this->getBackendUser()->getPagePermsClause(Permission::PAGE_SHOW);
+        $pageRecord = BackendUtility::readPageAccess($id, $permsClause);
+        if ($pageRecord === false) {
+            return $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_browse_links.xlf:page') . ' ' . $idInfo;
+        }
+
+        $pageTitle = $pageRecord['title'] ?? '';
         return $lang->sL('LLL:EXT:backend/Resources/Private/Language/locallang_browse_links.xlf:page')
             . ($pageTitle ? ' \'' . GeneralUtility::fixed_lgd_cs($pageTitle, $titleLen) . '\'' : '')
-            . ' (ID: ' . $id . (!empty($this->linkParts['url']['fragment']) ? ', #' . $this->linkParts['url']['fragment'] : '') . ')';
+            . ' (' . $idInfo . ')';
     }
 
     /**
diff --git a/typo3/sysext/core/Classes/LinkHandling/FileLinkHandler.php b/typo3/sysext/core/Classes/LinkHandling/FileLinkHandler.php
@@ -20,6 +20,7 @@
 use TYPO3\CMS\Core\Resource\Exception\FileDoesNotExistException;
 use TYPO3\CMS\Core\Resource\FileInterface;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
+use TYPO3\CMS\Core\Resource\Security\FileNameValidator;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 
 /**
@@ -71,6 +72,13 @@ public function resolveHandlerData(array $data): array
     {
         try {
             $file = $this->resolveFile($data);
+            $fileNameValidator = GeneralUtility::makeInstance(FileNameValidator::class);
+            if (
+                !$fileNameValidator->isValid(basename($file->getIdentifier())) ||
+                !$fileNameValidator->isValid($file->getName())
+            ) {
+                $file = null;
+            }
         } catch (FileDoesNotExistException $e) {
             $file = null;
         }
diff --git a/typo3/sysext/core/Classes/LinkHandling/LegacyLinkNotationConverter.php b/typo3/sysext/core/Classes/LinkHandling/LegacyLinkNotationConverter.php
@@ -220,7 +220,7 @@ protected function getFileOrFolderObjectFromMixedIdentifier(string $mixedIdentif
             }
             $fileOrFolderObject = $this->getResourceFactory()->retrieveFileOrFolderObject($fileIdentifier);
             // Links to a file/folder in the main TYPO3 directory should not be considered as file links, but an external link
-            if ($fileOrFolderObject instanceof ResourceInterface && $fileOrFolderObject->getStorage()->getUid() === 0) {
+            if ($fileOrFolderObject instanceof ResourceInterface && $fileOrFolderObject->getStorage()->isFallbackStorage()) {
                 return [
                     'type' => LinkService::TYPE_URL,
                     'url' => $mixedIdentifier,
diff --git a/typo3/sysext/core/Classes/Resource/ResourceStorage.php b/typo3/sysext/core/Classes/Resource/ResourceStorage.php
@@ -354,6 +354,17 @@ public function hasChildren()
         return true;
     }
 
+    /**
+     * Returns true if this storage is a virtual storage that provides
+     * access to all files in the project root.
+     *
+     * @internal
+     */
+    public function isFallbackStorage(): bool
+    {
+        return $this->getUid() === 0;
+    }
+
     /*********************************
      * Capabilities
      ********************************/
@@ -718,7 +729,7 @@ public function checkFileActionPermission($action, FileInterface $file)
             return false;
         }
         // Check 3: No action allowed on files for denied file extensions
-        if (!$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkValidFileExtension($file)) {
             return false;
         }
         $isReadCheck = false;
@@ -830,6 +841,17 @@ protected function checkFileExtensionPermission($fileName)
         return GeneralUtility::makeInstance(FileNameValidator::class)->isValid($fileName);
     }
 
+    /**
+     * Check file extension of an existing file against the
+     * current file deny pattern.
+     */
+    protected function checkValidFileExtension(FileInterface $file): bool
+    {
+        $fileNameValidator = GeneralUtility::makeInstance(FileNameValidator::class);
+        return $fileNameValidator->isValid($file->getName()) &&
+            $fileNameValidator->isValid(basename($file->getIdentifier()));
+    }
+
     /**
      * Assures read permission for given folder.
      *
@@ -896,7 +918,7 @@ protected function assureFileReadPermission(FileInterface $file)
                 1375955429
             );
         }
-        if (!$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkValidFileExtension($file)) {
             throw new IllegalFileExtensionException(
                 'You are not allowed to use that file extension. File: "' . $file->getName() . '"',
                 1375955430
@@ -917,7 +939,7 @@ protected function assureFileWritePermissions(FileInterface $file)
         if (!$this->checkFileActionPermission('write', $file)) {
             throw new InsufficientFileWritePermissionsException('Writing to file "' . $file->getIdentifier() . '" is not allowed.', 1330121088);
         }
-        if (!$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkValidFileExtension($file)) {
             throw new IllegalFileExtensionException('You are not allowed to edit a file with extension "' . $file->getExtension() . '"', 1366711933);
         }
     }
@@ -950,7 +972,7 @@ protected function assureFileReplacePermissions(FileInterface $file)
     protected function assureFileDeletePermissions(FileInterface $file)
     {
         // Check for disallowed file extensions
-        if (!$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkValidFileExtension($file)) {
             throw new IllegalFileExtensionException('You are not allowed to delete a file with extension "' . $file->getExtension() . '"', 1377778916);
         }
         // Check further permissions if file is not a processed file
@@ -1071,7 +1093,7 @@ protected function assureFileMovePermissions(FileInterface $file, Folder $target
     protected function assureFileRenamePermissions(FileInterface $file, $targetFileName)
     {
         // Check if file extension is allowed
-        if (!$this->checkFileExtensionPermission($targetFileName) || !$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkFileExtensionPermission($targetFileName) || !$this->checkValidFileExtension($file)) {
             throw new IllegalFileExtensionException('You are not allowed to rename a file with this extension. File given: "' . $file->getName() . '"', 1371466663);
         }
         // Check if user is allowed to rename
@@ -1114,7 +1136,7 @@ protected function assureFileCopyPermissions(FileInterface $file, Folder $target
             throw new InsufficientFolderWritePermissionsException('You are not allowed to write to the target folder "' . $targetFolder->getIdentifier() . '"', 1319550435);
         }
         // Check for a valid file extension
-        if (!$this->checkFileExtensionPermission($targetFileName) || !$this->checkFileExtensionPermission($file->getName())) {
+        if (!$this->checkFileExtensionPermission($targetFileName) || !$this->checkValidFileExtension($file)) {
             throw new IllegalFileExtensionException('You are not allowed to copy a file of that type.', 1319553317);
         }
     }
@@ -1733,6 +1755,7 @@ public function streamFile(
         string $alternativeFilename = null,
         string $overrideMimeType = null
     ): ResponseInterface {
+        $this->assureFileReadPermission($file);
         if (!$this->driver instanceof StreamableDriverInterface) {
             return $this->getPseudoStream($file, $asDownload, $alternativeFilename, $overrideMimeType);
         }
diff --git a/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php b/typo3/sysext/core/Classes/Resource/Security/StoragePermissionsAspect.php
@@ -42,13 +42,10 @@ public function addUserPermissionsToStorage(AfterResourceStorageInitializationEv
         if (($GLOBALS['TYPO3_REQUEST'] ?? null) instanceof ServerRequestInterface
             && ApplicationType::fromRequest($GLOBALS['TYPO3_REQUEST'])->isBackend()
             && !$GLOBALS['BE_USER']->isAdmin()
+            && !$storage->isFallbackStorage()
         ) {
             $storage->setEvaluatePermissions(true);
-            if ($storage->getUid() > 0) {
-                $storage->setUserPermissions($GLOBALS['BE_USER']->getFilePermissionsForStorage($storage));
-            } else {
-                $storage->setEvaluatePermissions(false);
-            }
+            $storage->setUserPermissions($GLOBALS['BE_USER']->getFilePermissionsForStorage($storage));
             $this->addFileMountsToStorage($storage);
         }
     }
diff --git a/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php b/typo3/sysext/core/Classes/Utility/File/ExtendedFileUtility.php
@@ -590,7 +590,7 @@ protected function getFileObject($identifier)
         if ($object === null) {
             throw new InvalidFileException('The item ' . $identifier . ' was not a file or directory', 1320122453);
         }
-        if ($object->getStorage()->getUid() === 0) {
+        if ($object->getStorage()->isFallbackStorage()) {
             throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1375889830);
         }
         return $object;
diff --git a/typo3/sysext/core/Tests/Unit/DataHandling/SoftReference/TypoLinkSoftReferenceParserTest.php b/typo3/sysext/core/Tests/Unit/DataHandling/SoftReference/TypoLinkSoftReferenceParserTest.php
@@ -247,6 +247,9 @@ public function findRefReturnsParsedElementsWithFile(array $softrefConfiguration
         $storageObject->method('getUid')->willReturn(1);
         $fileObject = $this->createMock(File::class);
         $fileObject->expects(self::once())->method('getUid')->willReturn(42);
+        $fileObject->expects(self::any())->method('getName')->willReturn('download.jpg');
+        $fileObject->expects(self::any())->method('getIdentifier')->willReturn('fileadmin/download.jpg');
+
         $fileObject->expects(self::any())->method('getStorage')->willReturn($storageObject);
 
         $resourceFactory = $this->createMock(ResourceFactory::class);
diff --git a/typo3/sysext/core/Tests/Unit/DataHandling/SoftReference/TypoLinkTagSoftReferenceParserTest.php b/typo3/sysext/core/Tests/Unit/DataHandling/SoftReference/TypoLinkTagSoftReferenceParserTest.php
@@ -189,6 +189,8 @@ public function findRefReturnsParsedElementsWithFile(array $softrefConfiguration
     {
         $fileObject = $this->createMock(File::class);
         $fileObject->expects(self::once())->method('getUid')->willReturn(42);
+        $fileObject->expects(self::any())->method('getName')->willReturn('download.jpg');
+        $fileObject->expects(self::any())->method('getIdentifier')->willReturn('fileadmin/download.jpg');
 
         $resourceFactory = $this->createMock(ResourceFactory::class);
         $resourceFactory->method('getFileObject')->with('42')->willReturn($fileObject);
diff --git a/typo3/sysext/core/Tests/Unit/LinkHandling/FileLinkHandlerTest.php b/typo3/sysext/core/Tests/Unit/LinkHandling/FileLinkHandlerTest.php
@@ -98,7 +98,7 @@ public function resolveFileReferencesToSplitParameters(array $input, array $expe
             ->getMock();
 
         // fake methods to return proper objects
-        $fileObject = new File(['identifier' => $expected['file'], 'name' => 'foobar.txt'], $storage);
+        $fileObject = new File(['identifier' => 'fileadmin/deep/down.jpg', 'name' => 'down.jpg'], $storage);
         $factory->method('getFileObject')->with($expected['file'])->willReturn($fileObject);
         $factory->method('getFileObjectFromCombinedIdentifier')->with($expected['file'])->willReturn($fileObject);
         $expected['file'] = $fileObject;
diff --git a/typo3/sysext/filelist/Classes/Controller/File/CreateFileController.php b/typo3/sysext/filelist/Classes/Controller/File/CreateFileController.php
@@ -119,7 +119,7 @@ protected function initialize(ServerRequestInterface $request): void
             $message = $this->getLanguageService()->sL('LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:targetNoDir');
             throw new \RuntimeException($title . ': ' . $message, 1667565756);
         }
-        if ($this->folderObject->getStorage()->getUid() === 0) {
+        if ($this->folderObject->getStorage()->isFallbackStorage()) {
             throw new InsufficientFolderAccessPermissionsException(
                 'You are not allowed to access folders outside your storages',
                 1667565757
diff --git a/typo3/sysext/filelist/Classes/Controller/File/EditFileController.php b/typo3/sysext/filelist/Classes/Controller/File/EditFileController.php
@@ -119,7 +119,7 @@ public function mainAction(ServerRequestInterface $request): ResponseInterface
         if (!$file instanceof FileInterface) {
             throw new InvalidFileException('Referenced target "' . $combinedIdentifier . '" could not be resolved to a valid file', 1294586841);
         }
-        if ($file->getStorage()->getUid() === 0) {
+        if ($file->getStorage()->isFallbackStorage()) {
             throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1375889832);
         }
 
diff --git a/typo3/sysext/filelist/Classes/Controller/File/FileUploadController.php b/typo3/sysext/filelist/Classes/Controller/File/FileUploadController.php
@@ -58,7 +58,7 @@ public function mainAction(ServerRequestInterface $request): ResponseInterface
         $folder = $this->resourceFactory->retrieveFileOrFolderObject($targetFolderCombinedIdentifier);
 
         if (!$folder instanceof FolderInterface
-            || $folder->getStorage()->getUid() === 0
+            || $folder->getStorage()->isFallbackStorage()
         ) {
             throw new InsufficientFolderAccessPermissionsException('You are not allowed to access folders outside your storages, or the folder couldn\'t be resolved', 1375889834);
         }
diff --git a/typo3/sysext/filelist/Classes/Controller/File/ReplaceFileController.php b/typo3/sysext/filelist/Classes/Controller/File/ReplaceFileController.php
@@ -103,7 +103,7 @@ protected function init(ServerRequestInterface $request): void
             $message = $lang->sL('LLL:EXT:filelist/Resources/Private/Language/locallang_mod_file_list.xlf:targetNoDir');
             throw new \RuntimeException($title . ': ' . $message, 1436895930);
         }
-        if ($this->fileOrFolderObject->getStorage()->getUid() === 0) {
+        if ($this->fileOrFolderObject->getStorage()->isFallbackStorage()) {
             throw new InsufficientFileAccessPermissionsException(
                 'You are not allowed to access files outside your storages',
                 1436895931
diff --git a/typo3/sysext/filelist/Classes/Controller/FileListController.php b/typo3/sysext/filelist/Classes/Controller/FileListController.php
@@ -124,7 +124,7 @@ public function handleRequest(ServerRequestInterface $request): ResponseInterfac
                     }
                     $this->folderObject = $storage->getFolder($identifier);
                     // Disallow access to fallback storage 0
-                    if ($storage->getUid() === 0) {
+                    if ($storage->isFallbackStorage()) {
                         throw new InsufficientFolderAccessPermissionsException(
                             'You are not allowed to access files outside your storages',
                             1434539815
diff --git a/typo3/sysext/filelist/Classes/LinkHandler/AbstractResourceLinkHandler.php b/typo3/sysext/filelist/Classes/LinkHandler/AbstractResourceLinkHandler.php

Original file line number	Diff line number	Diff line change
`@@ -405,7 +405,7 @@ protected function initShortcuts(): array`
`405`	`405`	`$combinedIdentifier = (string)($arguments['id'] ?? '');`
`406`	`406`	`if ($combinedIdentifier !== '') {`
`407`	`407`	`$storage = GeneralUtility::makeInstance(StorageRepository::class)->findByCombinedIdentifier($combinedIdentifier);`
`408`		`- if ($storage === null \|\| $storage->getUid() === 0) {`
	`408`	`+ if ($storage === null \|\| $storage->isFallbackStorage()) {`
`409`	`409`	`// Continue, if invalid storage or disallowed fallback storage`
`410`	`410`	`continue;`
`411`	`411`	`}`
Original file line number	Diff line number	Diff line change
`@@ -56,7 +56,7 @@ public function resourceAction(ServerRequestInterface $request): ResponseInterfa`
`56`	`56`	`if (!$resource instanceof File && !$resource instanceof Folder) {`
`57`	`57`	`throw new \InvalidArgumentException('Resource must be a file or a folder', 1679039649);`
`58`	`58`	`}`
`59`		`- if ($resource->getStorage()->getUid() === 0) {`
	`59`	`+ if ($resource->getStorage()->isFallbackStorage()) {`
`60`	`60`	`throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1679039650);`
`61`	`61`	`}`
`62`	`62`	`if ($resource instanceof File) {`
Original file line number	Diff line number	Diff line change
`@@ -54,7 +54,7 @@ public function renameResourceAction(ServerRequestInterface $request): ResponseI`
`54`	`54`	`if (!$origin instanceof File && !$origin instanceof Folder) {`
`55`	`55`	`throw new \InvalidArgumentException('Resource must be a file or a folder', 1676979120);`
`56`	`56`	`}`
`57`		`- if ($origin->getStorage()->getUid() === 0) {`
	`57`	`+ if ($origin->getStorage()->isFallbackStorage()) {`
`58`	`58`	`throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1676299579);`
`59`	`59`	`}`
`60`	`60`	`if (!$origin->checkActionPermission('rename')) {`
Original file line number	Diff line number	Diff line change
`@@ -220,7 +220,7 @@ protected function getFileOrFolderObjectFromMixedIdentifier(string $mixedIdentif`
`220`	`220`	`}`
`221`	`221`	`$fileOrFolderObject = $this->getResourceFactory()->retrieveFileOrFolderObject($fileIdentifier);`
`222`	`222`	`// Links to a file/folder in the main TYPO3 directory should not be considered as file links, but an external link`
`223`		`- if ($fileOrFolderObject instanceof ResourceInterface && $fileOrFolderObject->getStorage()->getUid() === 0) {`
	`223`	`+ if ($fileOrFolderObject instanceof ResourceInterface && $fileOrFolderObject->getStorage()->isFallbackStorage()) {`
`224`	`224`	`return [`
`225`	`225`	`'type' => LinkService::TYPE_URL,`
`226`	`226`	`'url' => $mixedIdentifier,`
Original file line number	Diff line number	Diff line change
`@@ -354,6 +354,17 @@ public function hasChildren()`
`354`	`354`	`return true;`
`355`	`355`	`}`
`356`	`356`
	`357`	`+ /**`
	`358`	`+ * Returns true if this storage is a virtual storage that provides`
	`359`	`+ * access to all files in the project root.`
	`360`	`+ *`
	`361`	`+ * @internal`
	`362`	`+ */`
	`363`	`+ public function isFallbackStorage(): bool`
	`364`	`+ {`
	`365`	`+ return $this->getUid() === 0;`
	`366`	`+ }`
	`367`	`+`
`357`	`368`	`/*********************************`
`358`	`369`	`* Capabilities`
`359`	`370`	`********************************/`
`@@ -718,7 +729,7 @@ public function checkFileActionPermission($action, FileInterface $file)`
`718`	`729`	`return false;`
`719`	`730`	`}`
`720`	`731`	`// Check 3: No action allowed on files for denied file extensions`
`721`		`- if (!$this->checkFileExtensionPermission($file->getName())) {`
	`732`	`+ if (!$this->checkValidFileExtension($file)) {`
`722`	`733`	`return false;`
`723`	`734`	`}`
`724`	`735`	`$isReadCheck = false;`
`@@ -830,6 +841,17 @@ protected function checkFileExtensionPermission($fileName)`
`830`	`841`	`return GeneralUtility::makeInstance(FileNameValidator::class)->isValid($fileName);`
`831`	`842`	`}`
`832`	`843`
	`844`	`+ /**`
	`845`	`+ * Check file extension of an existing file against the`
	`846`	`+ * current file deny pattern.`
	`847`	`+ */`
	`848`	`+ protected function checkValidFileExtension(FileInterface $file): bool`
	`849`	`+ {`
	`850`	`+ $fileNameValidator = GeneralUtility::makeInstance(FileNameValidator::class);`
	`851`	`+ return $fileNameValidator->isValid($file->getName()) &&`
	`852`	`+ $fileNameValidator->isValid(basename($file->getIdentifier()));`
	`853`	`+ }`
	`854`	`+`
`833`	`855`	`/**`
`834`	`856`	`* Assures read permission for given folder.`
`835`	`857`	`*`
`@@ -896,7 +918,7 @@ protected function assureFileReadPermission(FileInterface $file)`
`896`	`918`	`1375955429`
`897`	`919`	`);`
`898`	`920`	`}`
`899`		`- if (!$this->checkFileExtensionPermission($file->getName())) {`
	`921`	`+ if (!$this->checkValidFileExtension($file)) {`
`900`	`922`	`throw new IllegalFileExtensionException(`
`901`	`923`	`'You are not allowed to use that file extension. File: "' . $file->getName() . '"',`
`902`	`924`	`1375955430`
`@@ -917,7 +939,7 @@ protected function assureFileWritePermissions(FileInterface $file)`
`917`	`939`	`if (!$this->checkFileActionPermission('write', $file)) {`
`918`	`940`	`throw new InsufficientFileWritePermissionsException('Writing to file "' . $file->getIdentifier() . '" is not allowed.', 1330121088);`
`919`	`941`	`}`
`920`		`- if (!$this->checkFileExtensionPermission($file->getName())) {`
	`942`	`+ if (!$this->checkValidFileExtension($file)) {`
`921`	`943`	`throw new IllegalFileExtensionException('You are not allowed to edit a file with extension "' . $file->getExtension() . '"', 1366711933);`
`922`	`944`	`}`
`923`	`945`	`}`
`@@ -950,7 +972,7 @@ protected function assureFileReplacePermissions(FileInterface $file)`
`950`	`972`	`protected function assureFileDeletePermissions(FileInterface $file)`
`951`	`973`	`{`
`952`	`974`	`// Check for disallowed file extensions`
`953`		`- if (!$this->checkFileExtensionPermission($file->getName())) {`
	`975`	`+ if (!$this->checkValidFileExtension($file)) {`
`954`	`976`	`throw new IllegalFileExtensionException('You are not allowed to delete a file with extension "' . $file->getExtension() . '"', 1377778916);`
`955`	`977`	`}`
`956`	`978`	`// Check further permissions if file is not a processed file`
`@@ -1071,7 +1093,7 @@ protected function assureFileMovePermissions(FileInterface $file, Folder $target`
`1071`	`1093`	`protected function assureFileRenamePermissions(FileInterface $file, $targetFileName)`
`1072`	`1094`	`{`
`1073`	`1095`	`// Check if file extension is allowed`
`1074`		`- if (!$this->checkFileExtensionPermission($targetFileName) \|\| !$this->checkFileExtensionPermission($file->getName())) {`
	`1096`	`+ if (!$this->checkFileExtensionPermission($targetFileName) \|\| !$this->checkValidFileExtension($file)) {`
`1075`	`1097`	`throw new IllegalFileExtensionException('You are not allowed to rename a file with this extension. File given: "' . $file->getName() . '"', 1371466663);`
`1076`	`1098`	`}`
`1077`	`1099`	`// Check if user is allowed to rename`
`@@ -1114,7 +1136,7 @@ protected function assureFileCopyPermissions(FileInterface $file, Folder $target`
`1114`	`1136`	`throw new InsufficientFolderWritePermissionsException('You are not allowed to write to the target folder "' . $targetFolder->getIdentifier() . '"', 1319550435);`
`1115`	`1137`	`}`
`1116`	`1138`	`// Check for a valid file extension`
`1117`		`- if (!$this->checkFileExtensionPermission($targetFileName) \|\| !$this->checkFileExtensionPermission($file->getName())) {`
	`1139`	`+ if (!$this->checkFileExtensionPermission($targetFileName) \|\| !$this->checkValidFileExtension($file)) {`
`1118`	`1140`	`throw new IllegalFileExtensionException('You are not allowed to copy a file of that type.', 1319553317);`
`1119`	`1141`	`}`
`1120`	`1142`	`}`
`@@ -1733,6 +1755,7 @@ public function streamFile(`
`1733`	`1755`	`string $alternativeFilename = null,`
`1734`	`1756`	`string $overrideMimeType = null`
`1735`	`1757`	`): ResponseInterface {`
	`1758`	`+ $this->assureFileReadPermission($file);`
`1736`	`1759`	`if (!$this->driver instanceof StreamableDriverInterface) {`
`1737`	`1760`	`return $this->getPseudoStream($file, $asDownload, $alternativeFilename, $overrideMimeType);`
`1738`	`1761`	`}`
Original file line number	Diff line number	Diff line change
`@@ -590,7 +590,7 @@ protected function getFileObject($identifier)`
`590`	`590`	`if ($object === null) {`
`591`	`591`	`throw new InvalidFileException('The item ' . $identifier . ' was not a file or directory', 1320122453);`
`592`	`592`	`}`
`593`		`- if ($object->getStorage()->getUid() === 0) {`
	`593`	`+ if ($object->getStorage()->isFallbackStorage()) {`
`594`	`594`	`throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1375889830);`
`595`	`595`	`}`
`596`	`596`	`return $object;`