[SECURITY] Prevent Information Disclosure in record list downloader

Resolves: #107173
Releases: main, 13.4, 12.4
Change-Id: If3e22ce557bd48a4a68edee78e3c87f5fe51f9e4
Security-Bulletin: TYPO3-CORE-SA-2025-023
Security-References: CVE-2025-59019
Reviewed-on: https://review.typo3.org/c/Packages/TYPO3.CMS/+/90633
Reviewed-by: Oliver Hader <[email protected]>
Tested-by: Oliver Hader <[email protected]>

Author: bnf

Classes/Controller/RecordListDownloadController.php

@@ -105,6 +105,12 @@ public function handleDownloadRequest(ServerRequestInterface $request): Response
         if ($this->table === '') {
             throw new \RuntimeException('No table was given for downloading records', 1623941276);
         }
+
+        $backendUser = $this->getBackendUserAuthentication();
+        if (!$backendUser->check('tables_select', $this->table)) {
+            throw new AccessDeniedException('Insufficient permissions for accessing this download', 1756895674);
+        }
+
         // @todo we might want to throw an exception in case no schema exists for the table
         $schema = $this->tcaSchemaFactory->has($this->table) ? $this->tcaSchemaFactory->get($this->table) : null;
         $this->format = (string)($parsedBody['format'] ?? '');
@@ -123,7 +129,6 @@ public function handleDownloadRequest(ServerRequestInterface $request): Response
         $tsConfig = is_array($tsConfig) ? $tsConfig : null;
 
         // Loading current page record and checking access
-        $backendUser = $this->getBackendUserAuthentication();
         $perms_clause = $backendUser->getPagePermsClause(Permission::PAGE_SHOW);
         $pageinfo = BackendUtility::readPageAccess($this->id, $perms_clause);
         $searchString = (string)($parsedBody['searchString'] ?? '');