[SECURITY] Check record/file access when adding records to clipboard

TYPO3's clipboard functionality is able to store arbitrary records and
files to further copy or move them around. While the copy and move
operations are already covered by appropriate permission checks, the
actual clipboard insertion step failed to properly calculate actual
permissions. This allowed an attacker to insert arbitrary records and
files into the clipboard, which in turn allowed them to gather
information about the stored records/files.

This changes implements proper permission checks to avoid the described
scenario. Whenever records and files are inserted to the clipboard, they
are validated against existing read permissions for the current backend
user. If the user does not have proper permissions, the requested
records and files are denied for clipboard insertion.

Resolves: #109364
Releases: main, 14.3, 13.4
Change-Id: Id4db3edabeddd6466e69fdf8bab1a52b42668d91
Security-Bulletin: TYPO3-CORE-SA-2026-014
Security-References: CVE-2026-47351
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94419
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Author: eliashaeussler

typo3/sysext/backend/Classes/Clipboard/Clipboard.php

@@ -30,13 +30,15 @@
 use TYPO3\CMS\Core\Imaging\IconFactory;
 use TYPO3\CMS\Core\Imaging\IconSize;
 use TYPO3\CMS\Core\Localization\LanguageService;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
 use TYPO3\CMS\Core\Resource\Exception\ResourceDoesNotExistException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\ProcessedFile;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
 use TYPO3\CMS\Core\Schema\Capability\TcaSchemaCapability;
 use TYPO3\CMS\Core\Schema\TcaSchemaFactory;
+use TYPO3\CMS\Core\Type\Bitmask\Permission;
 use TYPO3\CMS\Core\Utility\ExtensionManagementUtility;
 use TYPO3\CMS\Core\Utility\GeneralUtility;
 use TYPO3\CMS\Core\Utility\MathUtility;
@@ -662,21 +664,34 @@ public function cleanCurrent(): void
 
         foreach ($this->clipData[$this->current]['el'] as $reference => $value) {
             [$table, $uid] = explode('|', $reference);
-            if ($table !== '_FILE') {
-                if (!$value || !is_array(BackendUtility::getRecord($table, (int)$uid, 'uid'))) {
-                    unset($this->clipData[$this->current]['el'][$reference]);
-                    $this->changed = true;
-                }
-            } elseif (!$value) {
-                unset($this->clipData[$this->current]['el'][$reference]);
-                $this->changed = true;
-            } else {
+            $unset = false;
+
+            if (!$value) {
+                $unset = true;
+            } elseif ($table === '_FILE') {
                 try {
-                    $this->resourceFactory->retrieveFileOrFolderObject($value);
-                } catch (ResourceDoesNotExistException $e) {
-                    // The file has been deleted in the meantime, so just remove it silently
-                    unset($this->clipData[$this->current]['el'][$reference]);
+                    $fileOrFolder = $this->resourceFactory->retrieveFileOrFolderObject($value);
+
+                    if (($fileOrFolder instanceof File || $fileOrFolder instanceof Folder)
+                        && !$fileOrFolder->checkActionPermission('read')
+                    ) {
+                        $unset = true;
+                    }
+                } catch (InsufficientFolderAccessPermissionsException|ResourceDoesNotExistException) {
+                    // If either the file has been deleted in the meantime or the user lacks permissions
+                    // for the folder, we just remove the clipboard entry silently
+                    $unset = true;
                 }
+            } elseif (!is_array($row = BackendUtility::getRecord($table, (int)$uid, ['uid', 'pid']))
+                || !$this->getBackendUser()->check('tables_select', $table)
+                || !is_array($page = BackendUtility::getRecord('pages', (int)($table === 'pages' ? $row['uid'] : $row['pid'])))
+                || !$this->getBackendUser()->doesUserHaveAccess($page, Permission::PAGE_SHOW)
+            ) {
+                $unset = true;
+            }
+
+            if ($unset) {
+                $this->removeElement($reference);
             }
         }
     }