Bug #22651
closedphtml is also PHP extension and should be denied editing / uploading via fileadmin
0%
Description
Most Linux distributions with PHP enabled will add handling of .phtml files through PHP module:
AddType application/x-httpd-php .php .phtml .php3
This is currently not in the list of denied files (in PHP_EXTENSIONS_DEFAULT of t3lib/config_default.php).
This means uploading a .phtml file through File manager will make it executeable.
Solution is to add this extension to the list.
Same applies to v4.2 and v4.3.
(issue imported from #M14389)
Files
Updated by Ingmar Schlecht over 14 years ago
The patch mostly looks good, but I would remove the file extension ".inc" from the list again, as that is a file extension that is normally used to denote PHP files that are only included and never directly executed by apache. Such files would actually make sense to be able to create or edit from within the Filelist so it shouldn't be on the deny pattern. Otherwise it would require to revert to file extensions like .txt for such included PHP files, which is kinda ugly...
Updated by Xavier Perseguers over 14 years ago
I agree with Ingmar, inc extension should be removed.
Updated by Tobias Liebig over 14 years ago
i just discussed this with Ingmar and Olly (who added the "inc" extension) and we agreed to remove it again.
Updated patches attached.
Updated by Oliver Hader over 14 years ago
Updated patches for TYPO3_4-3, TYPO3_4-4 and Trunk.
Updated by Oliver Hader over 14 years ago
- TYPO3_4-1 (rev. 8391)
- TYPO3_4-2 (rev. 8392)
- TYPO3_4-3 (rev. 8393, 8396)
- TYPO3_4-4 (rev. 8394, 8397)
- Trunk (rev. 8395, 8398)