[SECURITY] Extend file deny pattern 26/59526/2 TYPO3_8-7
authorOliver Hader <oliver@typo3.org>
Tue, 22 Jan 2019 08:41:45 +0000 (09:41 +0100)
committerOliver Hader <oliver.hader@typo3.org>
Tue, 22 Jan 2019 08:41:47 +0000 (09:41 +0100)
In order to enhance protection against (possible) executable file
extensions phar, shtml, cgi, pl have been added to the according
file deny pattern.

Releases: master, 9.5, 8.7
Resolves: #87368
Security-Commit: 8d94be6a63744d56f642663f1dc627b223799149
Security-Bulletin: TYPO3-CORE-SA-2019-008
Change-Id: Ia409b444b1334332a7b874f04e3dc139d9df7220
Reviewed-on: https://review.typo3.org/59526
Reviewed-by: Oliver Hader <oliver.hader@typo3.org>
Tested-by: Oliver Hader <oliver.hader@typo3.org>
typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php

index 0d4b739..a341c95 100644 (file)
@@ -112,9 +112,9 @@ class SystemEnvironmentBuilder
         defined('CRLF') ?: define('CRLF', CR . LF);
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht|phar|shtml|cgi|pl)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht,phar');
 
         // Operating system identifier
         // Either "WIN" or empty string