I guess it's impossible to generate a meta-rule that checks if a regexp is fully covered by a second regexp... Therefore, I see two simpler approaches:
1. It should be save if something is appended to the fileDenyPattern using '|'. Therefore, changing the condition (line 4199) to the following should be ok:
if ($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'] != FILE_DENY_PATTERN_DEFAULT
&& substr($GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'],0,strlen(FILE_DENY_PATTERN_DEFAULT)+1) != FILE_DENY_PATTERN_DEFAULT . '|' ) {
2. There is already a second if testing explicitely if '.htaccess' is denied using t3lib_div::verifyFilenameAgainstDenyPattern(). We could just test for dummy files that should be denied:
if (t3lib_div::verifyFilenameAgainstDenyPattern('x.php') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php3') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php4') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php5') || t3lib_div::verifyFilenameAgainstDenyPattern('x.php6') ||
t3lib_div::verifyFilenameAgainstDenyPattern('x.php.y') || ...
Ok, that's not so nice and does not test if ALL possible files that match the original pattern also match the modified pattern. So, I would prefer version 1.
In the related bug #21023 I see a reference to #21023, which is unfortunately not accessible. I hope it is covered there.
And as a side note: the new reports sysext also includes this check in class.tx_reports_reports_status_securitystatus.php. So, it should also be modified there.
(Sorry for the late feedback, but the mail about the status change was sent two weeks after the change...)
Updated by 
Updated by 
Updated by