[TYPO3-core] RFC #11369: jumpUrl should only allow files matching fileDenyPattern
Marcus Krause
marcus#exp2009 at t3sec.info
Mon Jun 22 08:25:59 CEST 2009
Ingmar Schlecht schrieb am 06/21/2009 07:40 PM Uhr:
> This is an SVN patch request.
>
> Type: Minor security improvement
>
> Bugtracker references:
> http://bugs.typo3.org/view.php?id=11369
>
> Branches:
> TYPO3_4-0, TYPO3_4-1, TYPO3_4-2 and trunk
>
> Problem:
> jumpUrl should only allow files matching fileDenyPattern, so e.g. PHP
> files can not be downloaded with jumpUrl any more.
>
> Solution:
> This patch introduces that check and the accompanying error message.
The title should be read as
"jumpUrl should only allow files *not* matching fileDenyPattern"
Am I right?
I really appreciate the patch.
+1 by reading if you consider Bastian's comment
Marcus.
--
TYPO3 Security blog: http://secure.t3sec.info/
More information about the TYPO3-team-core
mailing list