[SECURITY] Fix path prefix confusion in isAllowedAbsPath

ohader · ohader · commit 150a983a5d68 · 2026-06-09T11:01:33.000+02:00
A path like `/var/www/html-other/file.yaml` was incorrectly accepted as allowed when the project root was `/var/www/html`, because the prefix check lacked a directory separator boundary. This allowed references to files outside the project root whenever an adjacent directory shared the project path as a string prefix. Resolves: #109844 Releases: main, 14.3, 13.4 Change-Id: I6ee31150c95cb943305fc95e06b82710dab1ee71 Security-Bulletin: TYPO3-CORE-SA-2026-016 Security-References: CVE-2026-49738 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94423 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Classes/Utility/GeneralUtility.php b/typo3/sysext/core/Classes/Utility/GeneralUtility.php
@@ -2541,10 +2541,11 @@ public static function isAllowedAbsPath(string $path): bool
         if (substr($path, 0, 6) === 'vfs://') {
             return true;
         }
+        $path = PathUtility::sanitizeTrailingSeparator($path);
         return PathUtility::isAbsolutePath($path) && static::validPathStr($path)
             && (
-                str_starts_with($path, Environment::getProjectPath())
-                || str_starts_with($path, Environment::getPublicPath())
+                str_starts_with($path, Environment::getProjectPath() . '/')
+                || str_starts_with($path, Environment::getPublicPath() . '/')
                 || PathUtility::isAllowedAdditionalPath($path)
             );
     }
diff --git a/typo3/sysext/core/Tests/Functional/Utility/GeneralUtilityTest.php b/typo3/sysext/core/Tests/Functional/Utility/GeneralUtilityTest.php
@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Tests\Functional\Utility;
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Test;
+use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
+
+final class GeneralUtilityTest extends FunctionalTestCase
+{
+    protected bool $initializeDatabase = false;
+
+    public static function isAllowedAbsPathDataProvider(): iterable
+    {
+        yield '{{project-path}}' => ['{{project-path}}', true];
+        yield '{{project-path}}/' => ['{{project-path}}/', true];
+        yield '{{project-path}}/some-file.png' => ['{{project-path}}/', true];
+        yield '{{project-path}}-other' => ['{{project-path}}-other', false];
+        yield '{{project-path}}-other/' => ['{{project-path}}-other', false];
+        yield '{{project-path}}-other/some-file.png' => ['{{project-path}}-other', false];
+    }
+
+    /**
+     * See `\TYPO3\CMS\Core\Tests\Unit\Utility\PathUtilityTest::allowedAdditionalPathsAreEvaluated`
+     * for the evaluation of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']`.
+     */
+    #[Test]
+    #[DataProvider('isAllowedAbsPathDataProvider')]
+    public function allowedAbsolutePathIsEvaluated(string $path, bool $expectation): void
+    {
+        $path = str_replace('{{project-path}}', Environment::getPublicPath(), $path);
+        self::assertSame($expectation, GeneralUtility::isAllowedAbsPath($path));
+    }
+}
diff --git a/typo3/sysext/core/Tests/Unit/Utility/PathUtilityTest.php b/typo3/sysext/core/Tests/Unit/Utility/PathUtilityTest.php
@@ -565,15 +565,19 @@ public static function allowedAdditionalPathsAreEvaluatedDataProvider(): \Genera
         yield ['/var/shared/', '/var/shared', true];
         yield ['/var/shared', '/var/shared/', true];
         yield ['/var/shared/', '/var/shared/', true];
+        yield ['/var/shared', '/var/shared/file.png', true];
         yield ['/var/shared/', '/var/shared/file.png', true];
+        yield ['/var/shared', '/var/shared-secret', false];
         yield ['/var/shared/', '/var/shared-secret', false];
         yield ['/var/shared/', '/var', false];
         // array settings
         yield [['/var'], '/var/shared', true];
         yield [['/var/shared/'], '/var/shared', true];
         yield [['/var/shared'], '/var/shared/', true];
         yield [['/var/shared/'], '/var/shared/', true];
+        yield [['/var/shared'], '/var/shared/file.png', true];
         yield [['/var/shared/'], '/var/shared/file.png', true];
+        yield [['/var/shared'], '/var/shared-secret', false];
         yield [['/var/shared/'], '/var/shared-secret', false];
         yield [['/var/shared/'], '/var', false];
     }

Original file line number	Diff line number	Diff line change
`@@ -2541,10 +2541,11 @@ public static function isAllowedAbsPath(string $path): bool`
`2541`	`2541`	`if (substr($path, 0, 6) === 'vfs://') {`
`2542`	`2542`	`return true;`
`2543`	`2543`	`}`
	`2544`	`+ $path = PathUtility::sanitizeTrailingSeparator($path);`
`2544`	`2545`	`return PathUtility::isAbsolutePath($path) && static::validPathStr($path)`
`2545`	`2546`	`&& (`
`2546`		`- str_starts_with($path, Environment::getProjectPath())`
`2547`		`- \|\| str_starts_with($path, Environment::getPublicPath())`
	`2547`	`+ str_starts_with($path, Environment::getProjectPath() . '/')`
	`2548`	`+ \|\| str_starts_with($path, Environment::getPublicPath() . '/')`
`2548`	`2549`	`\|\| PathUtility::isAllowedAdditionalPath($path)`
`2549`	`2550`	`);`
`2550`	`2551`	`}`