TYPO3 Core

Can you provide a patch?

I guess it's impossible to generate a meta-rule that checks if a regexp is fully covered by a second regexp... Therefore, I see two simpler approaches:

1. It should be save if something is appended to the fileDenyPattern using '|'. Therefore, changing the condition (line 4199) to the following should be ok:
if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
&& substr($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],0,strlen(FILE_DENY_PATTERN_DEFAULT)+1) != FILE_DENY_PATTERN_DEFAULT . '|' ) {

2. There is already a second if testing explicitely if '.htaccess' is denied using t3lib_div::verifyFilenameAgainstDenyPattern(). We could just test for dummy files that should be denied:
if (t3lib_div::verifyFilenameAgainstDenyPattern('x.php') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php3') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php4') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php5') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php6') ||
t3lib_div::verifyFilenameAgainstDenyPattern('x.php.y') || ...
Ok, that's not so nice and does not test if ALL possible files that match the original pattern also match the modified pattern. So, I would prefer version 1.

In the related bug #21023 I see a reference to #21023, which is unfortunately not accessible. I hope it is covered there.

And as a side note: the new reports sysext also includes this check in class.tx_reports_reports_status_securitystatus.php. So, it should also be modified there.

(Sorry for the late feedback, but the mail about the status change was sent two weeks after the change...)

Resolved as duplicate of #0008690.

Resolved as duplicate of #0017817.