[TYPO3-core] EM2 problems.
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Thu May 11 15:42:01 CEST 2006
Bernhard Kraft schrieb:
>
> I attach two different patches which solve the problem by two different approaches.
>
> * Version 1:
> Don't unlink the file directly after upload but post the name of the intermediate file in typo3temp
> again in the form. When called again use this file to get $fetchData again.
Looks fine (not tested).
But don't use side effects AND logical operators in one statement.
NO:
if (($uploadedTempFile = $this->CMD['alreadyUploaded']) ||
$_FILES['upload_ext_file']['tmp_name']) {
YES:
$uploadedTempFile = $this->CMD['alreadyUploaded']);
if ($uploadedTempFile || $_FILES['upload_ext_file']['tmp_name']) {
Perhaps you could do a check like Dmitry suggested:
if (!is_uploaded_file($_FILES['upload_ext_file']['tmp_name']) {
t3lib_div::sysLog('Possible file upload attack:
'.$_FILES['upload_ext_file']['tmp_name'], 'Extension Manager', 3);
return false;
}
> * Version 2:
> serialize and base64_encode the complete fetchData array after initial upload and post it again and
> again as long as dependency problems aren't resolved.
No. Resubmitting possible large data via base64 doesn't seem right.
Masi
More information about the TYPO3-team-core
mailing list