TYPO3 Core

Can you please describe what the "unwanted side-effect" is?
What is your usecase, what does not work?

The regex modification of yours does not deny files like .pl.bak anymore, but it would still deny .pl.....

Markus Klein wrote:

Can you please describe what the "unwanted side-effect" is?
What is your usecase, what does not work?

Thank you for your attention to my request.

It is very reasonable to prevent files with, for example, the file extensions .bak and .sic from being delivered by the server. The .htaccess supplied with TYPO3 prevents the delivery of .bak files, so the fileDenyPattern is a "duplicate" if you use the supplied .htaccess. But I do not want to discuss or doubt your efforts in hardening TYPO3. My use case: At application level, I have stumbled across the fact that TYPO3 rejected the file setup.pl.typoscript. This file contains configuration data for a Polish website.

Sorry, I ask again. Please describe your setup.
Where do you use this setup.pl.typoscript file? Do you include it somewhere?

Give us instructions how to reproduce the issue.
Thanks

Markus Klein wrote:

Where do you use this setup.pl.typoscript file? Do you include it somewhere?

In a multi-client system, the file setup.pl.ts is read in the root template of the client. The command is

<INCLUDE_TYPOSCRIPT: source="FILE:MYPATH/templates/ts/setup.ts">
<INCLUDE_TYPOSCRIPT: source="FILE:MYPATH/templates/ts/setup.pl.ts">

The file setup.pl.ts overwrites values from setup.ts.

Do you need further data?

Kind regards

Thanks for the info. Will take a look and will discuss, how to solve this problem properly.

The modified file deny pattern would allow files like evil.php.jpg which might be executable depending on which web server and configuration is used.

In the last few years setups e.g. using the following in Apache have been "popular":

AddHandler php-script .php

Apache's approach for multiple file extensions is described here: https://httpd.apache.org/docs/2.4/mod/mod_mime.html#multipleext

Concerning setup.pl.typoscript and having a setup like documented in https://httpd.apache.org/docs/2.4/howto/cgi.html it would have to be considered as RCE vulnerability (that's why it was added to the deny pattern), basically:

AddHandler cgi-script .cgi .pl

Thus, the the general question is why TypoScript includes are using the fileDeny pattern (in terms of parsing TypoScript configuration). It has been introduced in a security release a couple of years ago:

• https://github.com/TYPO3/TYPO3.CMS/commit/368f57fe2158aff559c4bee2bba5de20d271799e
• https://typo3.org/security/advisory/typo3-sa-2010-022/

These are the aspects that should be tackled, replaced and hardened further.

Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59886

Patch set 3 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59886

Patch set 4 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59886

Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59913

Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/59914