TYPO3 Core

With the settings $TYPO3_CONF_VARS['BE']['fileExtensions']['webspace'] and …['ftpspace'] you ought to be able to restrict what kind of filetypes can be used in the filelist module. But after checking the function "is_allowed" in the class t3lib_basicFileFunctions and the core api documentation at around page 47, you will quickly realize, that the allow setting is pretty useless, because the function interprets "allow" only as a kind of override to "deny". So though you set it to 'pdf,png,gif', you can still upload everything, that is not caught by deny and the additionally checked fileDenyPattern.

Quoting from the core api doc:
The control is done like this: if an extension matches 'allow' then the check returns true. If not and an extension matches 'deny' then the check return false. If no match at all, returns true.

This behaviour should be changed, so that if there is a specific setting for allowed filetypes, you can only use those in your web/ftpspace. The flash uploader already does it that way and let's you only select allowed filetypes, but if you turn it off or don't have a flash plugin, the default check is active.

Solution: clean up the is_allowed function and make it more strict

I also created a testcase for the behaviour of the is_allowed function. This is my first unit test, so any notes on that are welcome.

(issue imported from #M16136)