Is writing to sys_file with DataHandler now a no-no?


(CC: @ohader)

After the publication of TYPO3-CORE-SA-2024-006: Improper Access Control Persisting File Abstraction Layer Entities via Data Handler, is the recommendation that I never change sys_file records with the DataHandler? (Apart from import operations, of course.) For example situations where the table has been extended.

Best wishes


Answer from @ohader in Slack:

Modifying sys_file via DataHandler is blocked. […] Additional fields usually would be in sys_file_metadata.

Thank you! :smiley:

1 Like