[SECURITY] Disallow pht as file extension 96/53896/2
authorSusanne Moog <susanne.moog@typo3.com>
Tue, 5 Sep 2017 09:36:39 +0000 (11:36 +0200)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 5 Sep 2017 09:36:42 +0000 (11:36 +0200)
Some web servers allow and accept pht files as PHP files
and execute them. Thus, pht should be part of the default
file deny pattern and PHP file extensions.

Resolves: #82078
Releases: master, 8.7, 7.6
Security-Commit: 548472d3d9dde59c6f9736666184b3853b734e0a
Security-Bulletin: TYPO3-CORE-SA-2017-007
Change-Id: Idcd7b13383c10935469f23826297f59a7362f693
Reviewed-on: https://review.typo3.org/53896
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
typo3/sysext/core/Tests/Unit/Core/SystemEnvironmentBuilderTest.php
typo3/sysext/core/Tests/Unit/Utility/GeneralUtilityTest.php

index 656fb23..b400828 100644 (file)
@@ -114,9 +114,9 @@ class SystemEnvironmentBuilder
         define('CRLF', CR . LF);
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
 
         // Operating system identifier
         // Either "WIN" or empty string
index fbcce25..fad59e0 100644 (file)
@@ -43,7 +43,7 @@ class SystemEnvironmentBuilderTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
     {
         $fileName = $this->getUniqueId('filename');
         $data = [];
-        $phpExtensions = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', 'php,php3,php4,php5,php6,phpsh,phtml', true);
+        $phpExtensions = \TYPO3\CMS\Core\Utility\GeneralUtility::trimExplode(',', 'php,php3,php4,php5,php6,phpsh,phtml,pht', true);
         foreach ($phpExtensions as $extension) {
             $data[] = [$fileName . '.' . $extension];
             $data[] = [$fileName . '.' . $extension . '.txt'];
index 761a432..4d96058 100644 (file)
@@ -4353,6 +4353,7 @@ class GeneralUtilityTest extends \TYPO3\CMS\Core\Tests\UnitTestCase
             'Regular .php3 file' => ['file.php3'],
             'Regular .phpsh file' => ['file.phpsh'],
             'Regular .phtml file' => ['file.phtml'],
+            'Regular .pht file' => ['file.pht'],
             'PHP file in the middle' => ['file.php.txt'],
             '.htaccess file' => ['.htaccess'],
         ];