[SECURITY] Disallow pht as file extension 00/53900/2
authorSusanne Moog <susanne.moog@typo3.com>
Tue, 5 Sep 2017 09:37:08 +0000 (11:37 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:37:11 +0000 (11:37 +0200)
commit2d37f5f8a856d3387c68710a2a412e71a9aa23ce
tree444660574dbef7e866debf1f96da73350ae1f94a
parent2c6228c5ab06590a7e584e543f5b3b1887268577
[SECURITY] Disallow pht as file extension

Some web servers allow and accept pht files as PHP files
and execute them. Thus, pht should be part of the default
file deny pattern and PHP file extensions.

Resolves: #82078
Releases: master, 8.7, 7.6
Security-Commit: 11e39b2ff8ff037379fe9e9e819728fe64fb058b
Security-Bulletin: TYPO3-CORE-SA-2017-007
Change-Id: I0b06badbf505761065c3c3881ff0fd2493954884
Reviewed-on: https://review.typo3.org/53900
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Tests/Unit/Core/SystemEnvironmentBuilderTest.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php