Bug #24548

Uploading files with Flash does not work

Added by Ralf Seliger about 11 years ago. Updated over 8 years ago.

Should have
Target version:
Start date:
Due date:
% Done:


Estimated time:
TYPO3 Version:
PHP Version:
Is Regression:
Sprint Focus:


Even though $TYPO3_CONF_VARS['GFX'][BE][fileDenyPattern] is the default, i.e. "\.(php[3-6]?|phpsh|phtml)(\..*)?$|^\.htaccess$", only php-files are shown in the file selector when using the flash uploader.

Uploading the php files is not possible, due to the fileDenyPattern.

Typo3 4.4.4 doesn't have this bug.

(issue imported from #M17004)


Updated by Marcus Krause about 11 years ago

Under review by TYPO3 security team.


Updated by Helmut Hummel about 11 years ago

Neither I understand the problem, nor can I reproduce it with TYPO3 4.4.6

Can you give us a little more details?
Which uploader are you using (flash or form)?
Did I understand it right, that you cannot upload .jpg or .gif files, but only .php files?
What does the reports module state on the fileDenyPattern topic?


Updated by Ralf Seliger about 11 years ago

1. I use the flash uploader.

2. Yes, the only files that are available for upload when I click on "Select Files" in the Flash dialog are those with extension php.


Updated by Helmut Hummel about 11 years ago

Can you actualy upload php files or do you then get an error message?

Which browser on which system are you using?

Does the problem also exist, if you are using the "normal" uploader?


Updated by Ralf Seliger about 11 years ago

File Deny Pattern is OK/green in Reports.

By the way, how can I disable the Depreciation Log?


Updated by Helmut Hummel about 11 years ago

Can you please answer my other questions?


Updated by Ralf Seliger about 11 years ago

Well, the dialog says:
"You can upload the following file types *.php", but when I actually try to upload a php-file (test.php) I get the error message:
"Filetype not allowed for test.php".


Updated by Ralf Seliger about 11 years ago

I don't know how to switch to the "normal" uploader since the flash-uploader was active by default.


Updated by Ralf Seliger about 11 years ago

Both Firefox 3.6.13 and IE 8 have this problem.


Updated by Helmut Hummel about 11 years ago

You can do it in the user settings->edit & advanced functions


Updated by Helmut Hummel about 11 years ago

What operating system are you using?


Updated by Ralf Seliger about 11 years ago

The normal dialog is working as expected.
Windows 7 (64 bit)
Flash version is 10,1,102,64


Updated by Chris topher almost 11 years ago

Ralf, can you test, if this still is an issue with TYPO3 4.5.2?
There were some fixes for the Flash Uploader recently. Maybe uploading files works correctly for you now?


Updated by Ralf Seliger almost 11 years ago

Sorry, but I'm not going to upgrade to 4.5 for a while. Besides, the php-upload works just fine ;-)


Updated by Stefa No almost 11 years ago

I did recently upgrade from 4.3.1 to 4.4.6 and finally to 4.5.2.

Briefly, with 4.4.6 as with 4.5.2:
Any upload fails using "Flash Uploader (Flash 9+)" with FF and Chrome.
With IE I can upload all files except php/inc,
even if I didn't put these extensions in "fileDenyPattern"
neither in "fileExtensions>webspace>deny".

The tests

Date: Monday, April 11, 2011
SO: Win XP SP3
- Firefox 4.0 w/ Flash => cannot upload any file type
- Chrome 10 w/ Flash => cannot upload any file type
- Internet Explorer 7.0 w/ Flash => cannot upload php/inc, can upload other types


(note: sorry, I will go a little off topic)

The test site uses this settings in localconf.php:

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = 'php3,php4,php5,php6,phpsh';

in order to:

- deny "php3,php4,php5,php6,phpsh,phtml" extensions
- allow upload for ".php" and ".inc" files, and all other file formats (.txt, ...)

With flash uploader disabled from user preferences,
I can upload the ".inc" files (ok), but not the ".php" ones (bad).
Using flash uploader, I can't upload anything.

It seems that at least the standard uploader
uses only the 'fileDenyPattern' variable.

I was not using fileDenyPattern in localconf.php, so
the default value is used (see t3lib/config_default.php):


This expression will not match .inc, but it will match .php
and .php.inc files (test: http://www.regular-expressions.info/javascriptexample.html)
So I changed it to (note the use of plus instead of the question,
to allow also .php extension):

$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '\.(php[3-6]+|phpsh)?$';

Now, always with Flash uploader disabled, I can upload the .php files too.

But with flash uploader enabled, even if I set:

$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] = 'php';
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['deny'] = '';
$TYPO3_CONF_VARS['BE']['fileDenyPattern'] = '';

upload of php files fails ("Filetype not allowed for <filename>").
In the flash uploader upload window the default filter is set to '.php'
(it was 'all' before... maybe it is based on the 'allow' variable)
and I receive a warning in the backend main page that I can't remove.

No errors in http server error log, javascript console or typo3 backend logs.

Other tests with Flash uploader enabled (before adding the three lines):

1) the upload of .php/.inc files fails, showing:

"Filetype not allowed for <filename>"

so, the flash uploader can't read the settings?

2) the upload of other file types (i.e.: .txt) shows:

<<All of your uploads failed.

If this problem persists, please try another browser, contact your administrator or disable this "Flash Uploader" in your User Settings.

Detailed problem description:
An input/output error occured (Error #2038). This i.e. happens with servers using a self-signed SSL certificate, which is a limitation of your browser's Flash plugin.

the last line is shown only after some (three?) uploads.
But the site is configured with http protocol only (not https).

For the moment, I'm going to tell users to disable their flash uploader...


Another way to test the fileDenyPattern regexp (useful for standard uploader):
when I create a file (with 'new' in 'fileadmin'), I see this mask:

[*.txt, *.html, *.htm, *.css, *.tmpl, *.js, *.sql, *.xml, *.csv, *.php, *.inc]

it seems that it is obtained by subtracting the fileDenyPattern extensions
from ['SYS']['text_file_ext'], that on the test site is:


Updated by Wouter Wolters over 8 years ago

  • Target version deleted (0)

Is this still an issue in newer TYPO3 versions like 6.0?
In 6.1 the flash uploader is removed in favor of the HTML5 uploader


Updated by Alexander Opitz over 8 years ago

  • Status changed from Needs Feedback to Closed

No feedback for over 90 days.

Also available in: Atom PDF