From fa29ffd3e8b275782a8600d2406e1b1e5e16ae75 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Mon, 29 Jun 2020 15:39:55 +0200
Subject: [PATCH 1/2] [SECURITY] Restrict file validation hash generation

Security-References: CVE-2020-15086
---
 Resources/PHP/ValidateHashEID.php | 9 +++++++--
 1 file changed, 7 insertions(+), 2 deletions(-)

diff --git a/Resources/PHP/ValidateHashEID.php b/Resources/PHP/ValidateHashEID.php
index e2ee58b..71f1481 100644
--- a/Resources/PHP/ValidateHashEID.php
+++ b/Resources/PHP/ValidateHashEID.php
@@ -14,10 +14,15 @@
 
 call_user_func(function() {
     $value = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('value');
-    $addition = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('addition');
     $scope = \TYPO3\CMS\Core\Utility\GeneralUtility::_GET('scope');
 
-    $content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, $addition);
+    if (!is_string($value) || empty($value)) {
+        \TYPO3\CMS\Core\Utility\HttpUtility::setResponseCodeAndExit(
+            \TYPO3\CMS\Core\Utility\HttpUtility::HTTP_STATUS_400
+        );
+    }
+
+    $content = \TYPO3\CMS\Core\Utility\GeneralUtility::hmac($value, 'flashvars');
 
     if ($scope === 'flashvars') {
         header('Content-type: application/x-www-form-urlencoded');

From ca7a7fcf55c934913c5226e418c20ba150854609 Mon Sep 17 00:00:00 2001
From: Oliver Hader <oliver@typo3.org>
Date: Thu, 16 Jul 2020 09:34:37 +0200
Subject: [PATCH 2/2] [TASK] Raise version to 7.6.5

---
 ext_emconf.php | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ext_emconf.php b/ext_emconf.php
index 2cb653e..4e804ae 100644
--- a/ext_emconf.php
+++ b/ext_emconf.php
@@ -9,7 +9,7 @@
     'uploadfolder' => 0,
     'createDirs' => 'uploads/media',
     'clearCacheOnLoad' => 1,
-    'version' => '7.6.4',
+    'version' => '7.6.5',
     'constraints' => array(
         'depends' => array(
             'typo3' => '7.6.0-7.6.99',