Bug #22651
closed
phtml is also PHP extension and should be denied editing / uploading via fileadmin
Added by Ernesto Baschny about 14 years ago.
Updated over 13 years ago.
Description
Most Linux distributions with PHP enabled will add handling of .phtml files through PHP module:
AddType application/x-httpd-php .php .phtml .php3
This is currently not in the list of denied files (in PHP_EXTENSIONS_DEFAULT of t3lib/config_default.php).
This means uploading a .phtml file through File manager will make it executeable.
Solution is to add this extension to the list.
Same applies to v4.2 and v4.3.
(issue imported from #M14389)
Files
|
14389.diff (979 Bytes)
14389.diff |
|
Administrator Admin, 2010-05-14 21:09
|
|
|
14389-phtml-fileext_v2_4-1.patch (989 Bytes)
14389-phtml-fileext_v2_4-1.patch |
|
Administrator Admin, 2010-05-20 15:57
|
|
|
14389-phtml-fileext_v2_4-2.patch (989 Bytes)
14389-phtml-fileext_v2_4-2.patch |
|
Administrator Admin, 2010-05-20 15:57
|
|
|
14389-phtml-fileext_v2_4-3.patch (3.18 KB)
14389-phtml-fileext_v2_4-3.patch |
|
Administrator Admin, 2010-05-20 15:57
|
|
|
14389-phtml-fileext_v2_4-4.patch (3.18 KB)
14389-phtml-fileext_v2_4-4.patch |
|
Administrator Admin, 2010-05-20 15:57
|
|
|
14389-phtml-fileext_v3_4.2_and_4.1.diff (989 Bytes)
14389-phtml-fileext_v3_4.2_and_4.1.diff |
|
Administrator Admin, 2010-06-30 14:23
|
|
|
14389-phtml-fileext_v3_4.3.diff (3.17 KB)
14389-phtml-fileext_v3_4.3.diff |
|
Administrator Admin, 2010-06-30 14:23
|
|
|
14389-phtml-fileext_v3_trunk_and_4.4.diff (3.15 KB)
14389-phtml-fileext_v3_trunk_and_4.4.diff |
|
Administrator Admin, 2010-06-30 14:23
|
|
|
14389-phtml-fileext_v4_4.2_and_4.1.diff (985 Bytes)
14389-phtml-fileext_v4_4.2_and_4.1.diff |
|
Administrator Admin, 2010-06-30 17:59
|
|
|
14389-phtml-fileext_v4_4.3.diff (3.2 KB)
14389-phtml-fileext_v4_4.3.diff |
|
Administrator Admin, 2010-06-30 17:59
|
|
|
14389-phtml-fileext_v5_4.3.diff (3.22 KB)
14389-phtml-fileext_v5_4.3.diff |
|
Administrator Admin, 2010-07-27 21:46
|
|
|
14389-phtml-fileext_v4_trunk_and_4.4.diff (3.16 KB)
14389-phtml-fileext_v4_trunk_and_4.4.diff |
|
Administrator Admin, 2010-07-27 21:46
|
|
The patch mostly looks good, but I would remove the file extension ".inc" from the list again, as that is a file extension that is normally used to denote PHP files that are only included and never directly executed by apache. Such files would actually make sense to be able to create or edit from within the Filelist so it shouldn't be on the deny pattern. Otherwise it would require to revert to file extensions like .txt for such included PHP files, which is kinda ugly...
I agree with Ingmar, inc extension should be removed.
i just discussed this with Ingmar and Olly (who added the "inc" extension) and we agreed to remove it again.
Updated patches attached.
Updated patches for TYPO3_4-3, TYPO3_4-4 and Trunk.
Committed to SVN
- TYPO3_4-1 (rev. 8391)
- TYPO3_4-2 (rev. 8392)
- TYPO3_4-3 (rev. 8393, 8396)
- TYPO3_4-4 (rev. 8394, 8397)
- Trunk (rev. 8395, 8398)
released in
4.1.15
4.2.14
4.3.5
4.4.2
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by