Project

General

Profile

Actions
Copy link

Feature #16497

closed

more secure [fileDenyPattern]

Added by Krystian Szymukowicz about 18 years ago. Updated over 16 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
Install Tool
Target version:
-
Start date:
2006-08-26
Due date:
% Done:

0%

Estimated time:
PHP Version:
4
Tags:
Complexity:
Sprint Focus:

Description

I'd like to propose more secure [fileDenyPattern]

\.[php|inc|dhtml|pl|cgi]+$|\.php.$|.*\.[php|phpx|pl|inc|dhtml|pl|cgi]+\..*$|\.htaccess$

Standard pattern is \.php$|\.php.$ and that prevent from:
1) .php
2) *.php4,.php5, etc. -> *.php[any char here]

That of course not all ext that may be executed on server.

The extended (suggested) pattern prevent from all well known script ext as:
a) php
b) inc
c) dhtml
e) pl
f) cgi

additionally it prevents from making double extension like *php.rar, *.inc.rar, etc. See http://forums.deftechgroup.com/archive/index.php/t-1638.html to get information about the problem.

Finally it prevents from uploading .htaccess.

(issue imported from #M4104)

Related issues 1 (0 open1 closed)

Has duplicate TYPO3 Core - Bug #18010: Malicious code executable as Non-Admin BE-UserClosedHenning Pingel2008-01-17

Actions
Actions
Copy link
 #1

Updated by Krystian Szymukowicz about 18 years ago

This patter could be even better:

\.[php|inc|dhtml|pl|cgi]+$|\.php.$|.*\.[php|phpx|pl|inc|dhtml|pl|cgi]+\..{1,3}$|\.htaccess$

I added limiter {1,3}.

You can check that pattern in http://weitz.de/regex-coach/.

Actions
Copy link
 #2

Updated by Krystian Szymukowicz over 16 years ago

In 4.2.1 it has been changed to

\.php[3-6]?(\..*)?$|^\.htaccess$

and as far as I know it is not going to change anymore so this issue can be closed.

Actions
Copy link
 #3

Updated by Steffen Kamper over 16 years ago

Krystian wanted that to be closed

Actions
Copy link

Also available in: Atom PDF