Bug #21023
closed
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] causes problems
0%
Description
The default regular expression filters out filenames wich just contains .php:
\.php[3-6]?(\..*)?$|^\.htaccess$
for example - try to add a file named foobar.php.gz - it wil fail with the message "1: Fileextension 'gz' not allowed. (tt_content:8:media)"
The Problem is it checks for ".php" + "optional 3-6" + ("." + "any sequence") at the end of string
obviously it should only check for ".php" + "optional 3-6" at the end of string plus phtml and phpsh
also adding of .htpasswd should be denied - i guess there is no use for anyway
The pattern should be changed to \.(php([3-6]|sh)?|phtml)$|^\.ht(access|passwd)$
(issue imported from #M11914)
Files
Updated by Marcus Krause over 14 years ago
The above mentioned regex is not faulty. It is by intention the way it is.
As you pointed out, it prevents to use failnames like myscript.php.gz. However, it also prevents to upload files with an invalid last suffix like malicious-code.php.abc.
Exactely last file would be parsed by PHP with a specific (default) Apache setting.
More details on it in
http://typo3.org/teams/security/security-bulletins/typo3-20080611-1/
Regarding the addition of .htpasswd: Indeed. this might be a valid request.
Updated by Sigfried Arnold over 14 years ago
Thanks for the link. So that turns that around a bit - adding phtml or phpsh should be done too.
And of course, the error message is faulty then: "1: Fileextension 'gz' not allowed. (tt_content:8:media)" should be changed to ""1: File not not allowed (denied by fileDenyPattern) (tt_content:8:media)" because it's not denied for it's extension .gz.
Took me bit to figure that one out.
But: i'm really interrested how to get apache to execute foo.php.gz as PHP by not touching the .htaccess file or Apache config - as far as i understand you first need to upload an .htaccess file (with malicious code) and after that you can execute foo.php.gz or whatever. but forbidding .php.gz as filename wont prevent this - you just could configure Apache to parse .jpg like PHP-Files or any other extension you want.
Updated by Marcus Krause over 14 years ago
Okay, here it comes:
the problem aren't files with a suffix that apache knows (e.g. myfile.php.gz)
Apache sees and understand .gz and treats it as archive.
the problem are files like myfile.php.abc
Apache doesn't know .abc and so "cuts it off" the filename. This results in a filename like myfile.php. Apache then suspects the file to be PHP code and hands it (myfile.php.abc) to the PHP parser.
And that's something you'd like to prevent. And it works out of the box. No need to place bad configuration options in a .htaccess file beforehand.
Regarding files with extension .phtml:
I suggest to send a mail to the TYPO3 Security Team and ask for adding phtml to the filedenypattern, too. I'm unsure about ".phpsh". Might be the case that apache doesn't know it at all (.phpsh needs always to be called via CLI)
Updated by Chris topher almost 14 years ago
So the points here are:
- Fix the misleading error message in the BE.
- Maybe: Add htpasswd, phtml and phpsh to the deny pattern.
Sigfried are you interested in patching this?
Updated by Marcus Krause almost 14 years ago
Issue will be taken care of by #22651.