[SECURITY] Disallow pht as file extension 04/53904/2
authorSusanne Moog <susanne.moog@typo3.com>
Tue, 5 Sep 2017 09:37:42 +0000 (11:37 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:37:46 +0000 (11:37 +0200)
commit0100f1e8b1835cbebc1da86b63a9f2d0480daa60
tree8514ee3aa29c4c0358a359ccb5dafc3d76596822
parentc6498b2d4afdb6bf40521334a0c5a4f29366256f
[SECURITY] Disallow pht as file extension

Some web servers allow and accept pht files as PHP files
and execute them. Thus, pht should be part of the default
file deny pattern and PHP file extensions.

Resolves: #82078
Releases: master, 8.7, 7.6
Security-Commit: d7e19499bfa4bd552d4428a2b9a943005c20c61d
Security-Bulletin: TYPO3-CORE-SA-2017-007
Change-Id: Ibadcaa8c32b70b9aec569027862918d0360ec075
Reviewed-on: https://review.typo3.org/53904
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Tests/Unit/Core/SystemEnvironmentBuilderTest.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php