[SECURITY] Extend file deny pattern 40/59540/2
authorOliver Hader <oliver@typo3.org>
Tue, 22 Jan 2019 08:43:31 +0000 (09:43 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:43:34 +0000 (09:43 +0100)
In order to enhance protection against (possible) executable file
extensions phar, shtml, cgi, pl have been added to the according
file deny pattern.

Releases: master, 9.5, 8.7
Resolves: #87368
Security-Commit: c9f0d00b89768b63df9c77884cf9d19d658fc0fc
Security-Bulletin: TYPO3-CORE-SA-2019-008
Change-Id: I92998a2046b6efb7f31961c20f24c81d00957879
Reviewed-on: https://review.typo3.org/59540
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php

index a712122..c6db50e 100644 (file)
@@ -133,9 +133,9 @@ class SystemEnvironmentBuilder
         defined('CRLF') ?: define('CRLF', CR . LF);
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht|phar|shtml|cgi|pl)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht,phar');
 
         // Relative path from document root to typo3/ directory, hardcoded to "typo3/"
         if (!defined('TYPO3_mainDir')) {