- edited description
Upload to storages with relative paths containing .. is buggy
I defined a typoscript to set the defaultStoragePath
and file
target for uploads like so:
plugin.tx_nnrestapi {
settings {
fileUploads {
default {
defaultStoragePath = 2:/uploads/
file = 2:/uploads/
}
}
}
}
This storage with the uid 2 has an relative base path “../secure_storage/” (note the two dots in front).
Comparing with uid 1, which has the relative base path “fileadmin/”.
TYPO3 handles both storage paths correctly, and I can browse both folders with the file module.
The TYPO3 12 system is a composer installation where the public path is the root of the relative base path.
After uploading a file with the @Api\Upload("default")
Annotation, nnrestapi generates a new public folder public/secure_storage/uploads/ with the uploaded file, but the uploaded files should be stored IMO here:
secure_files/uploads/
It seems, that nnrestapi cuts off the starting “../" from the relative path of the selected storage.
If I change the path in the storage to an absolute path (e.g. /var/www/html/secure_storage) it works correctly.
But this is not very practical, since my development system has different absolute paths than eg. the live system.
Because of this, after every sync of the database I would have to change the paths in the sys_file_storage database table, which is stored in a flexform xml.
Comments (3)
-
reporter -
reporter After some research, it seem that the problem comes from this call inside the \nn\t3::File->absPath method:
GeneralUtility::getFileAbsFileName($file)
The called method from the core has an security check for back paths (
static::validPathStr($fileName)
):$checkForBackPath = fn (string $fileName): string => $fileName !== '' && static::validPathStr($fileName) ? $fileName : '';
This results in an empty returned $fileName.
-
- changed status to resolved
Should be fixed in the latest release (2.0.4) – make sure to also update nnhelpers
- Log in to comment