[SECURITY] Properly evaluate .form.yaml file extension

Resolves: #110015
Releases: main, 14.3, 13.4
Change-Id: Ia889469a7bf0c8311368dfda15f4e7437e0180ca
Security-Bulletin: TYPO3-CORE-SA-2026-019
Security-References: CVE-2026-11607
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94431
Tested-by: Oliver Hader <oliver.hader@typo3.org>
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

typo3/sysext/form/Classes/Mvc/Persistence/FormPersistenceManager.php

@@ -89,7 +89,7 @@ public function load(string $persistenceIdentifier, array $formSettings, array $
             }
             try {
                 $formDefinition = $this->yamlSource->load([$file]);
-                $this->generateErrorsIfFormDefinitionIsValidButHasInvalidFileExtension($formDefinition, $persistenceIdentifier);
+                $this->generateErrorsIfFormDefinitionIsInvalidOrHasInvalidFileExtension($formDefinition, $persistenceIdentifier);
             } catch (\Exception $e) {
                 $formDefinition = [
                     'type' => 'Form',
@@ -648,7 +648,7 @@ protected function loadMetaData(string|File $persistenceIdentifier, array $formS
                 throw new NoSuchFileException(sprintf('YAML file "%s" could not be loaded', $persistenceIdentifier), 1524684462);
             }
             $yaml = $this->extractMetaDataFromCouldBeFormDefinition($rawYamlContent);
-            $this->generateErrorsIfFormDefinitionIsValidButHasInvalidFileExtension($yaml, $persistenceIdentifier);
+            $this->generateErrorsIfFormDefinitionIsInvalidOrHasInvalidFileExtension($yaml, $persistenceIdentifier);
             if ($file !== null) {
                 $yaml['fileUid'] = $file->getUid();
             }
@@ -694,9 +694,9 @@ protected function extractMetaDataFromCouldBeFormDefinition(string $maybeRawForm
     /**
      * @throws PersistenceManagerException
      */
-    protected function generateErrorsIfFormDefinitionIsValidButHasInvalidFileExtension(array $formDefinition, string $persistenceIdentifier): void
+    protected function generateErrorsIfFormDefinitionIsInvalidOrHasInvalidFileExtension(array $formDefinition, string $persistenceIdentifier): void
     {
-        if ($this->looksLikeAFormDefinition($formDefinition) && !$this->hasValidFileExtension($persistenceIdentifier)) {
+        if (!$this->looksLikeAFormDefinition($formDefinition) || !$this->hasValidFileExtension($persistenceIdentifier)) {
             throw new PersistenceManagerException(sprintf('Form definition "%s" does not end with ".form.yaml".', $persistenceIdentifier), 1531160649);
         }
     }

typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactForm.form.yaml

@@ -0,0 +1,3 @@
+identifier: contact-form
+type: Form
+label: 'Contact Form'

typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactFormWithType.yaml

@@ -0,0 +1,3 @@
+identifier: contact-form-with-type
+type: Form
+label: 'Contact Form'

typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactFormWithoutType.yaml

@@ -0,0 +1,2 @@
+identifier: contact-form-without-type
+label: 'Contact Form'

typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/Simple.form.yaml

@@ -1,4 +1,5 @@
 identifier: ext-form-identifier
+type: Form
 prototypeName: standard
 label: 'Label'
 renderables:

typo3/sysext/form/Tests/Functional/Mvc/Persistence/FormPersistenceManagerTest.php

@@ -37,12 +37,16 @@
 
 final class FormPersistenceManagerTest extends FunctionalTestCase
 {
-    protected bool $initializeDatabase = false;
-
     protected array $coreExtensionsToLoad = [
         'form',
     ];
 
+    protected array $pathsToProvideInTestInstance = [
+        'typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactForm.form.yaml' => 'fileadmin/form_definitions/ContactForm.form.yaml',
+        'typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactFormWithoutType.yaml' => 'fileadmin/form_definitions/ContactFormWithoutType.yaml',
+        'typo3/sysext/form/Tests/Functional/Mvc/Persistence/Fixtures/ContactFormWithType.yaml' => 'fileadmin/form_definitions/ContactFormWithType.yaml',
+    ];
+
     #[Test]
     public function loadThrowsExceptionIfPersistenceIdentifierHasNoYamlExtension(): void
     {
@@ -92,6 +96,7 @@ public function loadReturnsFormArray(): void
         ];
         $expected = [
             'identifier' => 'ext-form-identifier',
+            'type' => 'Form',
             'prototypeName' => 'standard',
             'label' => 'Label',
             'renderables' => [
@@ -140,6 +145,7 @@ public function loadReturnsOverriddenConfigurationIfTypoScriptOverridesExists():
         ];
         $expected = [
             'identifier' => 'ext-form-identifier',
+            'type' => 'Form',
             'prototypeName' => 'standard',
             'label' => 'Label override',
             'renderables' => [
@@ -190,6 +196,7 @@ public function overrideFormDefinitionDoesNotEvaluateTypoScriptLookalikeInstruct
         ];
         $formDefinitionYaml = [
             'identifier' => 'ext-form-identifier',
+            'type' => 'Form',
             'prototypeName' => 'standard',
             'label' => [
                 'value' => 'Label override',
@@ -212,6 +219,7 @@ public function overrideFormDefinitionDoesNotEvaluateTypoScriptLookalikeInstruct
         ];
         $expected = [
             'identifier' => 'ext-form-identifier',
+            'type' => 'Form',
             'prototypeName' => 'standard',
             'label' => [
                 'value' => 'Label override',
@@ -1032,4 +1040,20 @@ public function isAllowedPersistencePathReturnsProperValues(string $persistenceP
         $subjectMock->method('getStorageByUid')->willReturn($storageMock);
         self::assertEquals($expected, $subjectMock->isAllowedPersistencePath($persistencePath, $formSettings));
     }
+
+    public static function loadThrowsExceptionWhenFormDefinitionHasInvalidFileExtensionDataProvider(): iterable
+    {
+        yield ['1:/form_definitions/ContactForm.form.yaml', null];
+        yield ['1:/form_definitions/ContactFormWithType.yaml', true];
+        yield ['1:/form_definitions/ContactFormWithoutType.yaml', true];
+    }
+
+    #[Test]
+    #[DataProvider('loadThrowsExceptionWhenFormDefinitionHasInvalidFileExtensionDataProvider')]
+    public function loadThrowsExceptionWhenFormDefinitionHasInvalidFileExtension(string $identifier, ?bool $expectedInvalid): void
+    {
+        $subject = $this->get(FormPersistenceManager::class);
+        $formDefinition = $subject->load($identifier, [], []);
+        self::assertSame($expectedInvalid, $formDefinition['invalid'] ?? null);
+    }
 }