Bug #24548
closedUploading files with Flash does not work
0%
Description
Even though $TYPO3_CONF_VARS['GFX'][BE][fileDenyPattern] is the default, i.e. "\.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$", only php-files are shown in the file selector when using the flash uploader.
Uploading the php files is not possible, due to the fileDenyPattern.
Typo3 4.4.4 doesn't have this bug.
(issue imported from #M17004)
Updated by Marcus Krause almost 14 years ago
Under review by TYPO3 security team.
Updated by Helmut Hummel almost 14 years ago
Neither I understand the problem, nor can I reproduce it with TYPO3 4.4.6
Can you give us a little more details?
Which uploader are you using (flash or form)?
Did I understand it right, that you cannot upload .jpg or .gif files, but only .php files?
What does the reports module state on the fileDenyPattern topic?
Updated by Ralf Seliger almost 14 years ago
1. I use the flash uploader.
2. Yes, the only files that are available for upload when I click on "Select Files" in the Flash dialog are those with extension php.
Updated by Helmut Hummel almost 14 years ago
Can you actualy upload php files or do you then get an error message?
Which browser on which system are you using?
Does the problem also exist, if you are using the "normal" uploader?
Updated by Ralf Seliger almost 14 years ago
File Deny Pattern is OK/green in Reports.
By the way, how can I disable the Depreciation Log?
Updated by Helmut Hummel almost 14 years ago
Can you please answer my other questions?
Thanks.
Updated by Ralf Seliger almost 14 years ago
Well, the dialog says:
"You can upload the following file types *.php", but when I actually try to upload a php-file (test.php) I get the error message:
"Filetype not allowed for test.php".
Updated by Ralf Seliger almost 14 years ago
I don't know how to switch to the "normal" uploader since the flash-uploader was active by default.
Updated by Ralf Seliger almost 14 years ago
Both Firefox 3.6.13 and IE 8 have this problem.
Updated by Helmut Hummel almost 14 years ago
You can do it in the user settings->edit & advanced functions
Updated by Helmut Hummel almost 14 years ago
What operating system are you using?
Updated by Ralf Seliger almost 14 years ago
The normal dialog is working as expected.
Windows 7 (64 bit)
Flash version is 10,1,102,64
Updated by Chris topher over 13 years ago
Ralf, can you test, if this still is an issue with TYPO3 4.5.2?
There were some fixes for the Flash Uploader recently. Maybe uploading files works correctly for you now?
Updated by Ralf Seliger over 13 years ago
Sorry, but I'm not going to upgrade to 4.5 for a while. Besides, the php-upload works just fine ;-)
Updated by Stefa No over 13 years ago
I did recently upgrade from 4.3.1 to 4.4.6 and finally to 4.5.2.
Briefly, with 4.4.6 as with 4.5.2:
Any upload fails using "Flash Uploader (Flash 9+)" with FF and Chrome.
With IE I can upload all files except php/inc,
even if I didn't put these extensions in "fileDenyPattern"
neither in "fileExtensions>webspace>deny".
The tests
Date: Monday, April 11, 2011
SO: Win XP SP3
Browser:
- Firefox 4.0 w/ Flash 10.1.85.3 => cannot upload any file type
- Chrome 10 w/ Flash 10.2.154.25 => cannot upload any file type
- Internet Explorer 7.0 w/ Flash 10.2.152.32 => cannot upload php/inc, can upload other types
Settings:
(note: sorry, I will go a little off topic)
The test site uses this settings in localconf.php:
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = 'php3,php4,php5,php6,phpsh';
in order to:
- deny "php3,php4,php5,php6,phpsh,phtml" extensions
- allow upload for ".php" and ".inc" files, and all other file formats (.txt, ...)
With flash uploader disabled from user preferences,
I can upload the ".inc" files (ok), but not the ".php" ones (bad).
Using flash uploader, I can't upload anything.
It seems that at least the standard uploader
uses only the 'fileDenyPattern' variable.
I was not using fileDenyPattern in localconf.php, so
the default value is used (see t3lib/config_default.php):
'\.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$'
This expression will not match .inc, but it will match .php
and .php.inc files (test: http://www.regular-expressions.info/javascriptexample.html)
So I changed it to (note the use of plus instead of the question,
to allow also .php extension):
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '\.(php[3-6]+|phpsh)?$';
Now, always with Flash uploader disabled, I can upload the .php files too.
But with flash uploader enabled, even if I set:
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'php';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '';
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '';
upload of php files fails ("Filetype not allowed for <filename>").
In the flash uploader upload window the default filter is set to '.php'
(it was 'all' before... maybe it is based on the 'allow' variable)
and I receive a warning in the backend main page that I can't remove.
No errors in http server error log, javascript console or typo3 backend logs.
Other tests with Flash uploader enabled (before adding the three lines):
1) the upload of .php/.inc files fails, showing:
"Filetype not allowed for <filename>"
so, the flash uploader can't read the settings?
2) the upload of other file types (i.e.: .txt) shows:
<<All of your uploads failed.
If this problem persists, please try another browser, contact your administrator or disable this "Flash Uploader" in your User Settings.
Detailed problem description:
An input/output error occured (Error #2038). This i.e. happens with servers using a self-signed SSL certificate, which is a limitation of your browser's Flash plugin.
the last line is shown only after some (three?) uploads.
But the site is configured with http protocol only (not https).
For the moment, I'm going to tell users to disable their flash uploader...
Notes
Another way to test the fileDenyPattern regexp (useful for standard uploader):
when I create a file (with 'new' in 'fileadmin'), I see this mask:
[*.txt, *.html, *.htm, *.css, *.tmpl, *.js, *.sql, *.xml, *.csv, *.php, *.inc]
it seems that it is obtained by subtracting the fileDenyPattern extensions
from ['SYS']['text_file_ext'], that on the test site is:
'txt,html,htm,css,tmpl,js,sql,xml,csv,php,php3,php4,php5,php6,phpsh,inc,phtml'
Updated by Wouter Wolters over 11 years ago
- Target version deleted (
0)
Is this still an issue in newer TYPO3 versions like 6.0?
In 6.1 the flash uploader is removed in favor of the HTML5 uploader
Updated by Alexander Opitz about 11 years ago
- Status changed from Needs Feedback to Closed
No feedback for over 90 days.