[SECURITY] Extend file deny pattern

In order to enhance protection against (possible) executable file extensions phar, shtml, cgi, pl have been added to the according file deny pattern. Releases: master, 9.5, 8.7 Resolves: #87368 Security-Commit: 8d94be6a63744d56f642663f1dc627b223799149 Security-Bulletin: TYPO3-CORE-SA-2019-008 Change-Id: Ia409b444b1334332a7b874f04e3dc139d9df7220 Reviewed-on: https://review.typo3.org/59526 Reviewed-by: Oliver Hader <oliver.hader@typo3.org> Tested-by: Oliver Hader <oliver.hader@typo3.org>
TYPO3 · Jan 22, 2019 · 095ae4a · 095ae4a
1 parent 79528f7
commit 095ae4a
Showing 1 changed file with 2 additions and 2 deletions.
diff --git a/typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php b/typo3/sysext/core/Classes/Core/SystemEnvironmentBuilder.php
@@ -112,9 +112,9 @@ protected static function defineBaseConstants()
         defined('CRLF') ?: define('CRLF', CR . LF);
 
         // Security related constant: Default value of fileDenyPattern
-        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht)(\\..*)?$|^\\.htaccess$');
+        define('FILE_DENY_PATTERN_DEFAULT', '\\.(php[3-7]?|phpsh|phtml|pht|phar|shtml|cgi|pl)(\\..*)?$|^\\.htaccess$');
         // Security related constant: List of file extensions that should be registered as php script file extensions
-        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht');
+        define('PHP_EXTENSIONS_DEFAULT', 'php,php3,php4,php5,php6,php7,phpsh,inc,phtml,pht,phar');
 
         // Operating system identifier
         // Either "WIN" or empty string