[SECURITY] Disallow pht as file extension 96/53896/2
authorSusanne Moog <susanne.moog@typo3.com>
Tue, 5 Sep 2017 09:36:39 +0000 (11:36 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:36:42 +0000 (11:36 +0200)
commit9c18546e5870e0e9eea69bab8c71f7f9f7f7fe79
tree19769e6f6f084f1afd920cc20ed197686a44a3a7
parentb979433972f49fdaeb3ce7e2cba3cda1fca93ab1
[SECURITY] Disallow pht as file extension

Some web servers allow and accept pht files as PHP files
and execute them. Thus, pht should be part of the default
file deny pattern and PHP file extensions.

Resolves: #82078
Releases: master, 8.7, 7.6
Security-Commit: 548472d3d9dde59c6f9736666184b3853b734e0a
Security-Bulletin: TYPO3-CORE-SA-2017-007
Change-Id: Idcd7b13383c10935469f23826297f59a7362f693
Reviewed-on: https://review.typo3.org/53896
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Tests/Unit/Core/SystemEnvironmentBuilderTest.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php