[SECURITY] Deny destructive write actions on mount folders

eliashaeussler · ohader · commit ac4125aef8b9 · 2026-06-09T10:55:29.000+02:00
Non-privileged users must not be able to perform destructive write actions on folders which represent an active file mount. These actions include move, delete and rename of the related folder, and will be denied by the associate resource storage by a dedicated check in `checkFolderActionPermissions()`. This hardening affects only non-privileged users; privileged users (admins) are still able to perform any destructive actions on file mounts. Resolves: #108910 Releases: main, 14.3, 13.4 Change-Id: I2dc2db1f145beb319b5ad04cc3df7d88578d6fd5 Security-Bulletin: TYPO3-CORE-SA-2026-007 Security-References: CVE-2026-47343 Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94396 Tested-by: Oliver Hader <oliver.hader@typo3.org> Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
diff --git a/typo3/sysext/core/Classes/Resource/ResourceStorage.php b/typo3/sysext/core/Classes/Resource/ResourceStorage.php
@@ -615,6 +615,18 @@ public function getFileMounts()
         return $this->fileMounts;
     }
 
+    public function isFileMountFolder(Folder $folder): bool
+    {
+        foreach ($this->fileMounts as $mount) {
+            $rootLevelFolder = $mount['folder'] ?? null;
+            if ($rootLevelFolder instanceof Folder && $rootLevelFolder->getCombinedIdentifier() === $folder->getCombinedIdentifier()) {
+                return true;
+            }
+        }
+
+        return false;
+    }
+
     /**
      * Checks if the given subject is within one of the registered user
      * file mounts. If not, working with the file is not permitted for the user.
@@ -830,9 +842,27 @@ public function checkFolderActionPermission($action, ?Folder $folder = null)
         if ($isWriteCheck && !$folderPermissions['w']) {
             return false;
         }
+
+        // Check 5: File mount check
+        if (!$this->isAllowedActionOnMountFolder($action, $folder)) {
+            return false;
+        }
+
         return true;
     }
 
+    protected function isAllowedActionOnMountFolder(string $action, FolderInterface $folder): bool
+    {
+        $deniedMountActions = ['move', 'delete', 'rename'];
+
+        // Early return if the given folder is not a mount folder
+        if (!$folder instanceof Folder || !$this->isFileMountFolder($folder)) {
+            return true;
+        }
+
+        return !in_array($action, $deniedMountActions, true);
+    }
+
     /**
      * If the fileName is given, checks it against the
      * TYPO3_CONF_VARS[BE][fileDenyPattern] + and if the file extension is allowed.
