Bug #16108
closed
Added by Andreas Balzer about 18 years ago.
Updated over 10 years ago.
Description
upload of shtml files should be blocked by default, because this can be a security issue. e.g. you can shutdown windows computers with uploaded shtml files.
(issue imported from #M3386)
there are many ways to shutdown a windows computer, sometimes even a manipulated bmp or wma file is enough.
SCNR ;-)
well, but this also works under linux :)
I recommend to block anything from upload that has the possibiliy to execute something. So the following files for example:
.php
.phtm
*phtml
.shtm
.shtml
.exe
.bat
.cmd
....
The problem is you CAN'T build a complete list of everything that can be executed - i.e. what if the server has mod_perl? or ruby? or ASP?
The problem should be solved by webserver configuration in either .htaccess or some other way that would prohibit executing ANYTHING in the user-uploadable directories.
" in either .htaccess or some other way that would prohibit executing ANYTHING in the user-uploadable directories." Why not just create an .htaccess as an option in the install tool that is enabled by default? I mean, it can not be hard to do that and it would avoid normal be users or even just FE users from uploading something with the contents 'system("format c:");' which is possible right now in many situations in TYPO3.
- Status changed from New to Needs Feedback
- Target version deleted (
0)
- PHP Version deleted (
4)
Hi,
as this issue is very old. Does the problem still exists within newer versions of TYPO3 CMS (4.5 or 6.1)?
- Status changed from Needs Feedback to Closed
- Is Regression set to No
There is a configuration option to tell the backend which files are allowed / not allowed.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by 
Updated by