Project

General

Profile

Actions

Bug #18942

closed

Warning on fileDenyPattern is always shown although it's safe

Added by Daniel Minder over 16 years ago. Updated about 6 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2008-06-12
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The check in class.t3lib_befunc.php if the configured fileDenyPattern is equal to its default value is too simple. We have modified the fileDenyPattern and appended some more extensions. The pattern is safe since it includes the default, but I still get this annoying warning in the backend.

(issue imported from #M8690)


Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #21023: $TYPO3_CONF_VARS['BE']['fileDenyPattern'] causes problemsClosed2009-09-10

Actions
Is duplicate of TYPO3 Core - Bug #25217: Additions to fileDenyPattern give security warning in BEClosedSteffen Kamper2011-03-01

Actions
Actions #1

Updated by Chris topher over 14 years ago

Can you provide a patch?

Actions #2

Updated by Daniel Minder over 14 years ago

I guess it's impossible to generate a meta-rule that checks if a regexp is fully covered by a second regexp... Therefore, I see two simpler approaches:

1. It should be save if something is appended to the fileDenyPattern using '|'. Therefore, changing the condition (line 4199) to the following should be ok:
if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
&& substr($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],0,strlen(FILE_DENY_PATTERN_DEFAULT)+1) != FILE_DENY_PATTERN_DEFAULT . '|' ) {

2. There is already a second if testing explicitely if '.htaccess' is denied using t3lib_div::verifyFilenameAgainstDenyPattern(). We could just test for dummy files that should be denied:
if (t3lib_div::verifyFilenameAgainstDenyPattern('x.php') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php3') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php4') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php5') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php6') ||
t3lib_div::verifyFilenameAgainstDenyPattern('x.php.y') || ...
Ok, that's not so nice and does not test if ALL possible files that match the original pattern also match the modified pattern. So, I would prefer version 1.

In the related bug #21023 I see a reference to #21023, which is unfortunately not accessible. I hope it is covered there.

And as a side note: the new reports sysext also includes this check in class.tx_reports_reports_status_securitystatus.php. So, it should also be modified there.

(Sorry for the late feedback, but the mail about the status change was sent two weeks after the change...)

Actions #3

Updated by Chris topher over 13 years ago

Resolved as duplicate of #0008690.

Actions #4

Updated by Chris topher over 13 years ago

Resolved as duplicate of #0017817.

Actions #5

Updated by Benni Mack about 6 years ago

  • Status changed from Resolved to Closed
Actions

Also available in: Atom PDF