Bug #16108
closed
Block of shtml upload
0%
Description
upload of shtml files should be blocked by default, because this can be a security issue. e.g. you can shutdown windows computers with uploaded shtml files.
(issue imported from #M3386)
Updated by Rupert Germann about 18 years ago
there are many ways to shutdown a windows computer, sometimes even a manipulated bmp or wma file is enough.
SCNR ;-)
Updated by Andreas Balzer about 18 years ago
well, but this also works under linux :)
I recommend to block anything from upload that has the possibiliy to execute something. So the following files for example:
.php
.phtm
*phtml
.shtm
.shtml
.exe
.bat
.cmd
....
Updated by Dimitri Tarassenko about 18 years ago
The problem is you CAN'T build a complete list of everything that can be executed - i.e. what if the server has mod_perl? or ruby? or ASP?
The problem should be solved by webserver configuration in either .htaccess or some other way that would prohibit executing ANYTHING in the user-uploadable directories.
Updated by Andreas Balzer about 18 years ago
" in either .htaccess or some other way that would prohibit executing ANYTHING in the user-uploadable directories." Why not just create an .htaccess as an option in the install tool that is enabled by default? I mean, it can not be hard to do that and it would avoid normal be users or even just FE users from uploading something with the contents 'system("format c:");' which is possible right now in many situations in TYPO3.
Updated by Alexander Opitz almost 11 years ago
- Status changed from New to Needs Feedback
- Target version deleted (
0) - PHP Version deleted (
4)
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (4.5 or 6.1)?
Updated by Christian Kuhn over 10 years ago
- Status changed from Needs Feedback to Closed
- Is Regression set to No
There is a configuration option to tell the backend which files are allowed / not allowed.