[SECURITY] Fix path prefix confusion in isAllowedAbsPath

A path like `/var/www/html-other/file.yaml` was incorrectly
accepted as allowed when the project root was `/var/www/html`,
because the prefix check lacked a directory separator boundary.

This allowed references to files outside the project root whenever
an adjacent directory shared the project path as a string prefix.

Resolves: #109844
Releases: main, 14.3, 13.4
Change-Id: I6ee31150c95cb943305fc95e06b82710dab1ee71
Security-Bulletin: TYPO3-CORE-SA-2026-016
Security-References: CVE-2026-49738
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94425
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

typo3/sysext/core/Classes/Utility/GeneralUtility.php

@@ -2071,9 +2071,10 @@ public static function validPathStr(string $theFile): bool
      */
     public static function isAllowedAbsPath(string $path): bool
     {
+        $path = PathUtility::sanitizeTrailingSeparator($path);
         return PathUtility::isAbsolutePath($path) && static::validPathStr($path)
             && (
-                str_starts_with($path, Environment::getProjectPath())
+                str_starts_with($path, Environment::getProjectPath() . '/')
                 || PathUtility::isAllowedAdditionalPath($path)
             );
     }

typo3/sysext/core/Tests/Functional/Utility/GeneralUtilityTest.php

@@ -0,0 +1,51 @@
+<?php
+
+declare(strict_types=1);
+
+/*
+ * This file is part of the TYPO3 CMS project.
+ *
+ * It is free software; you can redistribute it and/or modify it under
+ * the terms of the GNU General Public License, either version 2
+ * of the License, or any later version.
+ *
+ * For the full copyright and license information, please read the
+ * LICENSE.txt file that was distributed with this source code.
+ *
+ * The TYPO3 project - inspiring people to share!
+ */
+
+namespace TYPO3\CMS\Core\Tests\Functional\Utility;
+
+use PHPUnit\Framework\Attributes\DataProvider;
+use PHPUnit\Framework\Attributes\Test;
+use TYPO3\CMS\Core\Core\Environment;
+use TYPO3\CMS\Core\Utility\GeneralUtility;
+use TYPO3\TestingFramework\Core\Functional\FunctionalTestCase;
+
+final class GeneralUtilityTest extends FunctionalTestCase
+{
+    protected bool $initializeDatabase = false;
+
+    public static function isAllowedAbsPathDataProvider(): iterable
+    {
+        yield '{{project-path}}' => ['{{project-path}}', true];
+        yield '{{project-path}}/' => ['{{project-path}}/', true];
+        yield '{{project-path}}/some-file.png' => ['{{project-path}}/', true];
+        yield '{{project-path}}-other' => ['{{project-path}}-other', false];
+        yield '{{project-path}}-other/' => ['{{project-path}}-other', false];
+        yield '{{project-path}}-other/some-file.png' => ['{{project-path}}-other', false];
+    }
+
+    /**
+     * See `\TYPO3\CMS\Core\Tests\Unit\Utility\PathUtilityTest::allowedAdditionalPathsAreEvaluated`
+     * for the evaluation of `$GLOBALS['TYPO3_CONF_VARS']['BE']['lockRootPath']`.
+     */
+    #[Test]
+    #[DataProvider('isAllowedAbsPathDataProvider')]
+    public function allowedAbsolutePathIsEvaluated(string $path, bool $expectation): void
+    {
+        $path = str_replace('{{project-path}}', Environment::getPublicPath(), $path);
+        self::assertSame($expectation, GeneralUtility::isAllowedAbsPath($path));
+    }
+}

typo3/sysext/core/Tests/Unit/Utility/PathUtilityTest.php

@@ -516,15 +516,19 @@ public static function allowedAdditionalPathsAreEvaluatedDataProvider(): \Genera
         yield ['/var/shared/', '/var/shared', true];
         yield ['/var/shared', '/var/shared/', true];
         yield ['/var/shared/', '/var/shared/', true];
+        yield ['/var/shared', '/var/shared/file.png', true];
         yield ['/var/shared/', '/var/shared/file.png', true];
+        yield ['/var/shared', '/var/shared-secret', false];
         yield ['/var/shared/', '/var/shared-secret', false];
         yield ['/var/shared/', '/var', false];
         // array settings
         yield [['/var'], '/var/shared', true];
         yield [['/var/shared/'], '/var/shared', true];
         yield [['/var/shared'], '/var/shared/', true];
         yield [['/var/shared/'], '/var/shared/', true];
+        yield [['/var/shared'], '/var/shared/file.png', true];
         yield [['/var/shared/'], '/var/shared/file.png', true];
+        yield [['/var/shared'], '/var/shared-secret', false];
         yield [['/var/shared/'], '/var/shared-secret', false];
         yield [['/var/shared/'], '/var', false];
     }

typo3/sysext/scheduler/Tests/Functional/Controller/NewSchedulerTaskControllerTest.php

@@ -173,7 +173,7 @@ public function queryParamsAreProcessed(): void
                 'SCRIPT_NAME' => '/typo3/index.php',
             ]));
         $request = $request->withQueryParams([
-            'returnUrl' => Environment::getPublicPath() . 'typo3/scheduler/manage?token=123&test=value',
+            'returnUrl' => Environment::getPublicPath() . '/typo3/scheduler/manage?token=123&test=value',
             'defaultValues' => $defaultValues,
         ]);