[SECURITY] Disallow pht as file extension 04/53904/2
authorSusanne Moog <susanne.moog@typo3.com>
Tue, 5 Sep 2017 09:37:42 +0000 (11:37 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:37:46 +0000 (11:37 +0200)
Some web servers allow and accept pht files as PHP files
and execute them. Thus, pht should be part of the default
file deny pattern and PHP file extensions.

Resolves: #82078
Releases: master, 8.7, 7.6
Security-Commit: d7e19499bfa4bd552d4428a2b9a943005c20c61d
Security-Bulletin: TYPO3-CORE-SA-2017-007
Change-Id: Ibadcaa8c32b70b9aec569027862918d0360ec075
Reviewed-on: https://review.typo3.org/53904
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Tests/Unit/Core/SystemEnvironmentBuilderTest.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php

index 8a06d04..9df3726 100644 (file)
@@ -112,9 +112,9 @@ class SystemEnvironmentBuilder
         defined('CRLF') ?: define('CRLF', CR . LF);
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
 
         // Operating system identifier
         // Either "WIN" or empty string
index b8c9539..feeb8cd 100644 (file)
@@ -41,7 +41,7 @@ class SystemEnvironmentBuilderTest extends \TYPO3\TestingFramework\Core\Unit\Uni
     {
         $fileName = $this->getUniqueId('filename');
         $data = [];
-        $phpExtensions = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', 'php,php3,php4,php5,php6,phpsh,phtml', true);
+        $phpExtensions = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', 'php,php3,php4,php5,php6,phpsh,phtml,pht', true);
         foreach ($phpExtensions as $extension) {
             $data[] = [$fileName . '.' . $extension];
             $data[] = [$fileName . '.' . $extension . '.txt'];
index 934b8e0..9d77dac 100644 (file)
@@ -4192,6 +4192,7 @@ class GeneralUtilityTest extends \TYPO3\TestingFramework\Core\Unit\UnitTestCase
             'Regular .php3 file' => ['file.php3'],
             'Regular .phpsh file' => ['file.phpsh'],
             'Regular .phtml file' => ['file.phtml'],
+            'Regular .pht file' => ['file.pht'],
             'PHP file in the middle' => ['file.php.txt'],
             '.htaccess file' => ['.htaccess'],
         ];