TYPO3 Core

The current default setting for $GLOBALS['TYPO3_CONF_VARS']['EXT']['excludeForPackaging'] is

'(?:\\..*(?!htaccess)|.*~|.*\\.swp|.*\\.bak|\\.sass-cache|node_modules|bower_components)'

which perfectly excludes files like Classes/UserFunction/Menu.php.bak or .idea from being exported if you hit the “Download as ZIP” button in the extension manager.

Sadly though (and clearly not intended by the author of this regex) it also excludes any .htaccess file. This can cause a security risk if you download a ZIP of an extension that kept secret information or even harmful scripts from users by using a restrictive .htaccess file (as is e.g. common practice when it comes to the Resources/Private/.htaccess). The restricting .htaccess file will be missing from the ZIP and if the unknowing backend user uploads the extension to another installation possibly some access is granted where it should not be!

The problem with the regex is the part \\..*(?!htaccess) which basically sais “match everything that starts with a dot and then has any number of characters of which at least one is not followed by the phrase ‘htaccess’.” Correct would have been \\.(?!htaccess$).* which would translate to “match everything that starts with a dot but where the next thing after the dot is not ‘htaccess’ + end of the string.”

The configuration is effectively applied inside GeneralUtility::getAllFilesAndFoldersInPath as preg_match('/^' . $excludePattern . '$/', $subdirs).

Long story short, my proposed solution is:

'(?:\\.(?!htaccess$).*|.*~|.*\\.swp|.*\\.bak|\\.sass-cache|node_modules|bower_components)'

as contained in the attached patch for 9.5.

Steps to reproduce:

1. Make or take any extension in any TYPO3 environment
2. create a .htaccess file in any directory inside the extension on the server
3. use the extension manager to download said extension as ZIP
4. open the ZIP file and verify that the .htaccess file is missing