Project

General

Profile

Actions

Bug #21023

closed

$TYPO3_CONF_VARS['BE']['fileDenyPattern'] causes problems

Added by Sigfried Arnold about 15 years ago. Updated over 14 years ago.

Status:
Closed
Priority:
Should have
Assignee:
-
Category:
-
Target version:
-
Start date:
2009-09-10
Due date:
% Done:

0%

Estimated time:
TYPO3 Version:
4.4
PHP Version:
5.3
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

The default regular expression filters out filenames wich just contains .php:

\.php[3-6]?(\..*)?$|^\.htaccess$

for example - try to add a file named foobar.php.gz - it wil fail with the message "1: Fileextension 'gz' not allowed. (tt_content:8:media)"

The Problem is it checks for ".php" + "optional 3-6" + ("." + "any sequence") at the end of string

obviously it should only check for ".php" + "optional 3-6" at the end of string plus phtml and phpsh

also adding of .htpasswd should be denied - i guess there is no use for anyway

The pattern should be changed to \.(php([3-6]|sh)?|phtml)$|^\.ht(access|passwd)$

(issue imported from #M11914)


Files

config_default.php.diff (754 Bytes) config_default.php.diff Administrator Admin, 2009-09-10 00:12

Related issues 2 (0 open2 closed)

Related to TYPO3 Core - Bug #18942: Warning on fileDenyPattern is always shown although it's safeClosedChris topher2008-06-12

Actions
Related to TYPO3 Core - Bug #22651: phtml is also PHP extension and should be denied editing / uploading via fileadminClosedOliver Hader2010-05-14

Actions
Actions

Also available in: Atom PDF