phtml is also PHP extension and should be denied editing / uploading via fileadmin
Most Linux distributions with PHP enabled will add handling of .phtml files through PHP module:
AddType application/x-httpd-php .php .phtml .php3
This is currently not in the list of denied files (in PHP_EXTENSIONS_DEFAULT of t3lib/config_default.php).
This means uploading a .phtml file through File manager will make it executeable.
Solution is to add this extension to the list.
Same applies to v4.2 and v4.3.
(issue imported from #M14389)
#1 Updated by Ingmar Schlecht over 9 years ago
The patch mostly looks good, but I would remove the file extension ".inc" from the list again, as that is a file extension that is normally used to denote PHP files that are only included and never directly executed by apache. Such files would actually make sense to be able to create or edit from within the Filelist so it shouldn't be on the deny pattern. Otherwise it would require to revert to file extensions like .txt for such included PHP files, which is kinda ugly...