Bug #22651

phtml is also PHP extension and should be denied editing / uploading via fileadmin

Added by Ernesto Baschny over 9 years ago. Updated about 9 years ago.

Status:
Closed
Priority:
Should have
Assignee:
Category:
-
Target version:
-
Start date:
2010-05-14
Due date:
% Done:

0%

TYPO3 Version:
4.4
PHP Version:
5.2
Tags:
Complexity:
Is Regression:
Sprint Focus:

Description

Most Linux distributions with PHP enabled will add handling of .phtml files through PHP module:

AddType application/x-httpd-php .php .phtml .php3

This is currently not in the list of denied files (in PHP_EXTENSIONS_DEFAULT of t3lib/config_default.php).

This means uploading a .phtml file through File manager will make it executeable.

Solution is to add this extension to the list.

Same applies to v4.2 and v4.3.
(issue imported from #M14389)

14389.diff View (979 Bytes) Administrator Admin, 2010-05-14 21:09

14389-phtml-fileext_v2_4-1.patch View (989 Bytes) Administrator Admin, 2010-05-20 15:57

14389-phtml-fileext_v2_4-2.patch View (989 Bytes) Administrator Admin, 2010-05-20 15:57

14389-phtml-fileext_v2_4-3.patch View (3.18 KB) Administrator Admin, 2010-05-20 15:57

14389-phtml-fileext_v2_4-4.patch View (3.18 KB) Administrator Admin, 2010-05-20 15:57

14389-phtml-fileext_v3_4.2_and_4.1.diff View (989 Bytes) Administrator Admin, 2010-06-30 14:23

14389-phtml-fileext_v3_4.3.diff View (3.17 KB) Administrator Admin, 2010-06-30 14:23

14389-phtml-fileext_v3_trunk_and_4.4.diff View (3.15 KB) Administrator Admin, 2010-06-30 14:23

14389-phtml-fileext_v4_4.2_and_4.1.diff View (985 Bytes) Administrator Admin, 2010-06-30 17:59

14389-phtml-fileext_v4_4.3.diff View (3.2 KB) Administrator Admin, 2010-06-30 17:59

14389-phtml-fileext_v5_4.3.diff View (3.22 KB) Administrator Admin, 2010-07-27 21:46

14389-phtml-fileext_v4_trunk_and_4.4.diff View (3.16 KB) Administrator Admin, 2010-07-27 21:46


Related issues

Related to TYPO3 Core - Bug #21023: $TYPO3_CONF_VARS['BE']['fileDenyPattern'] causes problems Closed 2009-09-10
Related to TYPO3 Core - Bug #23630: Disallow common PHP file extensions with fileDenyPattern Closed 2010-09-28

History

#1 Updated by Ingmar Schlecht over 9 years ago

The patch mostly looks good, but I would remove the file extension ".inc" from the list again, as that is a file extension that is normally used to denote PHP files that are only included and never directly executed by apache. Such files would actually make sense to be able to create or edit from within the Filelist so it shouldn't be on the deny pattern. Otherwise it would require to revert to file extensions like .txt for such included PHP files, which is kinda ugly...

#2 Updated by Xavier Perseguers over 9 years ago

I agree with Ingmar, inc extension should be removed.

#3 Updated by Tobias Liebig over 9 years ago

i just discussed this with Ingmar and Olly (who added the "inc" extension) and we agreed to remove it again.
Updated patches attached.

#4 Updated by Oliver Hader over 9 years ago

Updated patches for TYPO3_4-3, TYPO3_4-4 and Trunk.

#5 Updated by Oliver Hader over 9 years ago

Committed to SVN
  • TYPO3_4-1 (rev. 8391)
  • TYPO3_4-2 (rev. 8392)
  • TYPO3_4-3 (rev. 8393, 8396)
  • TYPO3_4-4 (rev. 8394, 8397)
  • Trunk (rev. 8395, 8398)

#6 Updated by Ingo Renner over 9 years ago

released in
4.1.15
4.2.14
4.3.5
4.4.2

Also available in: Atom PDF