TYPO3 Core

Under review by TYPO3 security team.

Neither I understand the problem, nor can I reproduce it with TYPO3 4.4.6

Can you give us a little more details?
Which uploader are you using (flash or form)?
Did I understand it right, that you cannot upload .jpg or .gif files, but only .php files?
What does the reports module state on the fileDenyPattern topic?

1. I use the flash uploader.

2. Yes, the only files that are available for upload when I click on "Select Files" in the Flash dialog are those with extension php.

Can you actualy upload php files or do you then get an error message?

Which browser on which system are you using?

Does the problem also exist, if you are using the "normal" uploader?

File Deny Pattern is OK/green in Reports.

By the way, how can I disable the Depreciation Log?

Can you please answer my other questions?
Thanks.

Well, the dialog says:
"You can upload the following file types *.php", but when I actually try to upload a php-file (test.php) I get the error message:
"Filetype not allowed for test.php".

I don't know how to switch to the "normal" uploader since the flash-uploader was active by default.

Both Firefox 3.6.13 and IE 8 have this problem.

You can do it in the user settings->edit & advanced functions

What operating system are you using?

The normal dialog is working as expected.
Windows 7 (64 bit)
Flash version is 10,1,102,64

Ralf, can you test, if this still is an issue with TYPO3 4.5.2?
There were some fixes for the Flash Uploader recently. Maybe uploading files works correctly for you now?

Sorry, but I'm not going to upgrade to 4.5 for a while. Besides, the php-upload works just fine ;-)

I did recently upgrade from 4.3.1 to 4.4.6 and finally to 4.5.2.

Briefly, with 4.4.6 as with 4.5.2:
Any upload fails using "Flash Uploader (Flash 9+)" with FF and Chrome.
With IE I can upload all files except php/inc,
even if I didn't put these extensions in "fileDenyPattern"
neither in "fileExtensions>webspace>deny".

The tests

Date: Monday, April 11, 2011
SO: Win XP SP3
Browser:
- Firefox 4.0 w/ Flash 10.1.85.3 => cannot upload any file type
- Chrome 10 w/ Flash 10.2.154.25 => cannot upload any file type
- Internet Explorer 7.0 w/ Flash 10.2.152.32 => cannot upload php/inc, can upload other types

Settings:

(note: sorry, I will go a little off topic)

The test site uses this settings in localconf.php:

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = 'php3,php4,php5,php6,phpsh';

in order to:

- deny "php3,php4,php5,php6,phpsh,phtml" extensions
- allow upload for ".php" and ".inc" files, and all other file formats (.txt, ...)

With flash uploader disabled from user preferences,
I can upload the ".inc" files (ok), but not the ".php" ones (bad).
Using flash uploader, I can't upload anything.

It seems that at least the standard uploader
uses only the 'fileDenyPattern' variable.

I was not using fileDenyPattern in localconf.php, so
the default value is used (see t3lib/config_default.php):

'\.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$'

This expression will not match .inc, but it will match .php
and .php.inc files (test: http://www.regular-expressions.info/javascriptexample.html)
So I changed it to (note the use of plus instead of the question,
to allow also .php extension):

$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '\.(php[3-6]+|phpsh)?$';

Now, always with Flash uploader disabled, I can upload the .php files too.

But with flash uploader enabled, even if I set:

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'php';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '';
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '';

upload of php files fails ("Filetype not allowed for <filename>").
In the flash uploader upload window the default filter is set to '.php'
(it was 'all' before... maybe it is based on the 'allow' variable)
and I receive a warning in the backend main page that I can't remove.

No errors in http server error log, javascript console or typo3 backend logs.

Other tests with Flash uploader enabled (before adding the three lines):

1) the upload of .php/.inc files fails, showing:

"Filetype not allowed for <filename>"

so, the flash uploader can't read the settings?

2) the upload of other file types (i.e.: .txt) shows:

<<All of your uploads failed.

If this problem persists, please try another browser, contact your administrator or disable this "Flash Uploader" in your User Settings.

Detailed problem description:
An input/output error occured (Error #2038). This i.e. happens with servers using a self-signed SSL certificate, which is a limitation of your browser's Flash plugin.

the last line is shown only after some (three?) uploads.
But the site is configured with http protocol only (not https).

For the moment, I'm going to tell users to disable their flash uploader...

Notes

Another way to test the fileDenyPattern regexp (useful for standard uploader):
when I create a file (with 'new' in 'fileadmin'), I see this mask:

[*.txt, *.html, *.htm, *.css, *.tmpl, *.js, *.sql, *.xml, *.csv, *.php, *.inc]

it seems that it is obtained by subtracting the fileDenyPattern extensions
from ['SYS']['text_file_ext'], that on the test site is:

'txt,html,htm,css,tmpl,js,sql,xml,csv,php,php3,php4,php5,php6,phpsh,inc,phtml'