[TYPO3-core] EM2 problems.
Martin Kutschker
Martin.Kutschker at n0spam-blackbox.net
Mon May 22 19:14:37 CEST 2006
Martin Kutschker schrieb:
> Bernhard Kraft schrieb:
>
>>
>> I attach two different patches which solve the problem by two
>> different approaches.
>>
>> * Version 1:
>> Don't unlink the file directly after upload but post the name of the
>> intermediate file in typo3temp
>> again in the form. When called again use this file to get $fetchData
>> again.
>
>
> Looks fine (not tested).
>
> But don't use side effects AND logical operators in one statement.
>
> NO:
> if (($uploadedTempFile = $this->CMD['alreadyUploaded']) ||
> $_FILES['upload_ext_file']['tmp_name']) {
>
> YES:
> $uploadedTempFile = $this->CMD['alreadyUploaded']);
> if ($uploadedTempFile || $_FILES['upload_ext_file']['tmp_name']) {
>
> Perhaps you could do a check like Dmitry suggested:
>
> if (!is_uploaded_file($_FILES['upload_ext_file']['tmp_name']) {
> t3lib_div::sysLog('Possible file upload attack:
> '.$_FILES['upload_ext_file']['tmp_name'], 'Extension Manager', 3);
>
> return false;
> }
The patch worked for me so +1.
Maybe you can address my concerns when you commit, but go ahead even if you
don't.
Masi
More information about the TYPO3-team-core
mailing list