[SECURITY] Extend file deny pattern

In order to enhance protection against (possible) executable file extensions phar, shtml, cgi, pl have been added to the according file deny pattern. Releases: master, 9.5, 8.7 Resolves: #87368 Security-Commit: d6909e2a1262d2d24e39eb07326aea0c143021f8 Security-Bulletin: TYPO3-CORE-SA-2019-008 Change-Id: Ia66c9093e8379612021872a195e620d19f44a2ca Reviewed-on: https://review.typo3.org/59533 Reviewed-by: Oliver Hader <[email protected]> Tested-by: Oliver Hader <[email protected]>
TYPO3-CMS · Jan 22, 2019 · 5095084 · 5095084
1 parent 3b8b8b4
commit 5095084
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/Classes/Core/SystemEnvironmentBuilder.php b/Classes/Core/SystemEnvironmentBuilder.php
@@ -148,9 +148,9 @@ protected static function defineBaseConstants()
         defined('SUB') ?: define('SUB', chr(26));
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht|phar|shtml|cgi|pl)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht,phar');
 
         // Operating system identifier
         // Either "WIN" or empty string