[SECURITY] Check file permissions before showing meta data

Several HTTP routes of the backend API could be used to retrieve
file meta data without checking user permissions properly.

Resolves: #109842
Releases: main, 14.3, 13.4
Change-Id: I9189bdbcbc41977c597a259b51485f0e725fbdbf
Security-Bulletin: TYPO3-CORE-SA-2026-015.
Security-References: CVE-2026-47352
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/94422
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>

Author: ohader

typo3/sysext/backend/Classes/Controller/File/ImageProcessController.php

@@ -42,6 +42,9 @@ public function process(ServerRequestInterface $request): ResponseInterface
         $processedFileId = (int)($request->getQueryParams()['id'] ?? 0);
         try {
             $processedFile = $this->imageProcessingService->process($processedFileId);
+            if (!$processedFile->getOriginalFile()->checkActionPermission('read')) {
+                return new HtmlResponse('', 403);
+            }
 
             return new RedirectResponse(
                 GeneralUtility::locationHeaderUrl($processedFile->getPublicUrl() ?? '', $request)

typo3/sysext/backend/Classes/Controller/LinkController.php

@@ -26,6 +26,7 @@
 use TYPO3\CMS\Core\Messaging\FlashMessage;
 use TYPO3\CMS\Core\Messaging\FlashMessageQueue;
 use TYPO3\CMS\Core\Resource\Exception\InsufficientFileAccessPermissionsException;
+use TYPO3\CMS\Core\Resource\Exception\InsufficientFolderAccessPermissionsException;
 use TYPO3\CMS\Core\Resource\File;
 use TYPO3\CMS\Core\Resource\Folder;
 use TYPO3\CMS\Core\Resource\ResourceFactory;
@@ -47,34 +48,45 @@ public function resourceAction(ServerRequestInterface $request): ResponseInterfa
         $identifier = $request->getParsedBody()['identifier'] ?? null;
         $resource = null;
 
-        if ($identifier) {
-            $resource = $this->resourceFactory->retrieveFileOrFolderObject($identifier);
-        }
-
         try {
+            if ($identifier) {
+                $resource = $this->resourceFactory->retrieveFileOrFolderObject($identifier);
+            }
             if (!$resource instanceof File && !$resource instanceof Folder) {
                 throw new \InvalidArgumentException('Resource must be a file or a folder', 1679039649);
             }
             if ($resource->getStorage()->isFallbackStorage()) {
                 throw new InsufficientFileAccessPermissionsException('You are not allowed to access files outside your storages', 1679039650);
             }
             if ($resource instanceof File) {
+                if (!$resource->checkActionPermission('read')) {
+                    throw new InsufficientFileAccessPermissionsException('You are not allowed to access this file', 1779001351);
+                }
                 $parameters = [
                     'type' => LinkService::TYPE_FILE,
                     'file' => $resource,
                 ];
             }
             if ($resource instanceof Folder) {
+                // Note: No explicit `$resource->checkActionPermission('read')` check here, as that would
+                // be a no-op since `ResourceStorage::getFolder()` calls `assureFolderReadPermission()`
+                // and throws `InsufficientFolderAccessPermissionsException`
                 $parameters = [
                     'type' => LinkService::TYPE_FOLDER,
                     'folder' => $resource,
                 ];
             }
             $link = $this->linkService->asString($parameters);
+        } catch (InsufficientFileAccessPermissionsException|InsufficientFolderAccessPermissionsException $exception) {
+            $message = match ($exception->getCode()) {
+                1679039650 => $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_resource.xlf:ajax.error.message.resourceOutsideOfStorages'),
+                default => $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_resource.xlf:ajax.error.message.resourceNoPermissionRead'),
+            };
+
+            return new JsonResponse($this->getResponseData(false, $message));
         } catch (\Exception $exception) {
             $message = match ($exception->getCode()) {
                 1679039649 => $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_resource.xlf:ajax.error.message.resourceNotFileOrFolder'),
-                1679039650 => $this->getLanguageService()->sL('LLL:EXT:backend/Resources/Private/Language/locallang_resource.xlf:ajax.error.message.resourceOutsideOfStorages'),
                 default => $exception->getMessage(),
             };
 

typo3/sysext/backend/Classes/Controller/Resource/ResourceController.php

@@ -65,6 +65,9 @@ public function gatherInformationAction(ServerRequestInterface $request): Respon
         if ($resource === null) {
             return new JsonResponse(null, 404);
         }
+        if (!$resource->checkActionPermission('read')) {
+            return new JsonResponse(null, 403);
+        }
 
         return new JsonResponse($this->getResourceResponseData($resource));
     }

typo3/sysext/backend/Resources/Private/Language/locallang_resource.xlf

@@ -21,6 +21,9 @@
       <trans-unit id="ajax.error.message.resourceOutsideOfStorages">
         <source>Access to files outside your configured storages is not permitted.</source>
       </trans-unit>
+      <trans-unit id="ajax.error.message.resourceNoPermissionRead">
+        <source>Reading this resource is not permitted.</source>
+      </trans-unit>
       <trans-unit id="ajax.error.message.resourceNoPermissionRename">
         <source>Renaming this resource is not permitted.</source>
       </trans-unit>