Bug #22651

phtml is also PHP extension and should be denied editing / uploading via fileadmin

Added by Ernesto Baschny almost 11 years ago. Updated over 10 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Most Linux distributions with PHP enabled will add handling of .phtml files through PHP module:

AddType application/x-httpd-php .php .phtml .php3

This is currently not in the list of denied files (in PHP_EXTENSIONS_DEFAULT of t3lib/config_default.php).

This means uploading a .phtml file through File manager will make it executeable.

Solution is to add this extension to the list.

Same applies to v4.2 and v4.3.
(issue imported from #M14389)


14389.diff (979 Bytes) 14389.diff Administrator Admin, 2010-05-14 21:09
14389-phtml-fileext_v2_4-1.patch (989 Bytes) 14389-phtml-fileext_v2_4-1.patch Administrator Admin, 2010-05-20 15:57
14389-phtml-fileext_v2_4-2.patch (989 Bytes) 14389-phtml-fileext_v2_4-2.patch Administrator Admin, 2010-05-20 15:57
14389-phtml-fileext_v2_4-3.patch (3.18 KB) 14389-phtml-fileext_v2_4-3.patch Administrator Admin, 2010-05-20 15:57
14389-phtml-fileext_v2_4-4.patch (3.18 KB) 14389-phtml-fileext_v2_4-4.patch Administrator Admin, 2010-05-20 15:57
14389-phtml-fileext_v3_4.2_and_4.1.diff (989 Bytes) 14389-phtml-fileext_v3_4.2_and_4.1.diff Administrator Admin, 2010-06-30 14:23
14389-phtml-fileext_v3_4.3.diff (3.17 KB) 14389-phtml-fileext_v3_4.3.diff Administrator Admin, 2010-06-30 14:23
14389-phtml-fileext_v3_trunk_and_4.4.diff (3.15 KB) 14389-phtml-fileext_v3_trunk_and_4.4.diff Administrator Admin, 2010-06-30 14:23
14389-phtml-fileext_v4_4.2_and_4.1.diff (985 Bytes) 14389-phtml-fileext_v4_4.2_and_4.1.diff Administrator Admin, 2010-06-30 17:59
14389-phtml-fileext_v4_4.3.diff (3.2 KB) 14389-phtml-fileext_v4_4.3.diff Administrator Admin, 2010-06-30 17:59
14389-phtml-fileext_v5_4.3.diff (3.22 KB) 14389-phtml-fileext_v5_4.3.diff Administrator Admin, 2010-07-27 21:46
14389-phtml-fileext_v4_trunk_and_4.4.diff (3.16 KB) 14389-phtml-fileext_v4_trunk_and_4.4.diff Administrator Admin, 2010-07-27 21:46

Related issues

Related to TYPO3 Core - Bug #21023: $TYPO3_CONF_VARS['BE']['fileDenyPattern'] causes problemsClosed2009-09-10

Related to TYPO3 Core - Bug #23630: Disallow common PHP file extensions with fileDenyPatternClosed2010-09-28


Updated by Ingmar Schlecht almost 11 years ago

The patch mostly looks good, but I would remove the file extension ".inc" from the list again, as that is a file extension that is normally used to denote PHP files that are only included and never directly executed by apache. Such files would actually make sense to be able to create or edit from within the Filelist so it shouldn't be on the deny pattern. Otherwise it would require to revert to file extensions like .txt for such included PHP files, which is kinda ugly...


Updated by Xavier Perseguers almost 11 years ago

I agree with Ingmar, inc extension should be removed.


Updated by Tobias Liebig almost 11 years ago

i just discussed this with Ingmar and Olly (who added the "inc" extension) and we agreed to remove it again.
Updated patches attached.


Updated by Oliver Hader almost 11 years ago

Updated patches for TYPO3_4-3, TYPO3_4-4 and Trunk.


Updated by Oliver Hader almost 11 years ago

Committed to SVN
  • TYPO3_4-1 (rev. 8391)
  • TYPO3_4-2 (rev. 8392)
  • TYPO3_4-3 (rev. 8393, 8396)
  • TYPO3_4-4 (rev. 8394, 8397)
  • Trunk (rev. 8395, 8398)

Updated by Ingo Renner over 10 years ago

released in

Also available in: Atom PDF