Bug #89876
closed.htaccess files missing from ZIP files downloaded in extension manager
100%
Description
The current default setting for $GLOBALS['TYPO3_CONF_VARS']['EXT']['excludeForPackaging']
is
'(?:\\..*(?!htaccess)|.*~|.*\\.swp|.*\\.bak|\\.sass-cache|node_modules|bower_components)'
which perfectly excludes files like Classes/UserFunction/Menu.php.bak
or .idea
from being exported if you hit the “Download as ZIP” button in the extension manager.
Sadly though (and clearly not intended by the author of this regex) it also excludes any .htaccess
file. This can cause a security risk if you download a ZIP of an extension that kept secret information or even harmful scripts from users by using a restrictive .htaccess
file (as is e.g. common practice when it comes to the Resources/Private/.htaccess
). The restricting .htaccess
file will be missing from the ZIP and if the unknowing backend user uploads the extension to another installation possibly some access is granted where it should not be!
The problem with the regex is the part \\..*(?!htaccess)
which basically sais “match everything that starts with a dot and then has any number of characters of which at least one is not followed by the phrase ‘htaccess’.” Correct would have been \\.(?!htaccess$).*
which would translate to “match everything that starts with a dot but where the next thing after the dot is not ‘htaccess’ + end of the string.”
The configuration is effectively applied inside GeneralUtility::getAllFilesAndFoldersInPath
as preg_match('/^' . $excludePattern . '$/', $subdirs)
.
Long story short, my proposed solution is:
'(?:\\.(?!htaccess$).*|.*~|.*\\.swp|.*\\.bak|\\.sass-cache|node_modules|bower_components)'
as contained in the attached patch for 9.5.
Steps to reproduce:
- Make or take any extension in any TYPO3 environment
- create a
.htaccess
file in any directory inside the extension on the server - use the extension manager to download said extension as ZIP
- open the ZIP file and verify that the
.htaccess
file is missing
Files
Updated by Matteo Bonaker almost 5 years ago
Oh, right, I forgot to mention that this regex has not changed between versions 7, 8 and 9. So I think the issue has long existed and was not brought to attention for some reason.
Updated by Gerrit Code Review almost 5 years ago
- Status changed from New to Under Review
Patch set 1 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62582
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch master of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62582
Updated by Susanne Moog almost 5 years ago
Matteo Bonaker wrote:
Oh, right, I forgot to mention that this regex has not changed between versions 7, 8 and 9. So I think the issue has long existed and was not brought to attention for some reason.
The original issue is https://review.typo3.org/c/Packages/TYPO3.CMS/+/43556 (it was already introduced like that).
Updated by Gerrit Code Review almost 5 years ago
Patch set 1 for branch 9.5 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62658
Updated by Georg Ringer almost 5 years ago
- Status changed from Under Review to Resolved
- % Done changed from 0 to 100
Applied in changeset 8123da832562b03b505f4c4913bbfeef39f1e8c6.
Updated by Gerrit Code Review almost 5 years ago
- Status changed from Resolved to Under Review
Patch set 1 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62666
Updated by Gerrit Code Review almost 5 years ago
Patch set 2 for branch TYPO3_8-7 of project Packages/TYPO3.CMS has been pushed to the review server.
It is available at https://review.typo3.org/c/Packages/TYPO3.CMS/+/62666
Updated by Georg Ringer almost 5 years ago
- Status changed from Under Review to Resolved
Applied in changeset 6881edfb7ee2e3eeabcd65d304c69676512fdf03.
Updated by Benni Mack almost 5 years ago
- Status changed from Resolved to Closed