Skip to content
Snippets Groups Projects
Commit e95e25eb authored by catch's avatar catch
Browse files

Issue #3213745 by AlexGreen, mcdruid, dww, poker10, smustgrave: Add phtml... 

Issue #3213745 by AlexGreen, mcdruid, dww, poker10, smustgrave: Add phtml files to the list of potentially malicious extensions
parent a5b62885
Branches
Tags
25 merge requests!54479.5.x SF update,!5014Issue #3071143: Table Render Array Example Is Incorrect,!4868Issue #1428520: Improve menu parent link selection,!4289Issue #1344552 by marcingy, Niklas Fiekas, Ravi.J, aleevas, Eduardo Morales...,!4114Issue #2707291: Disable body-level scrolling when a dialog is open as a modal,!4100Issue #3249600: Add support for PHP 8.1 Enums as allowed values for list_* data types,!2378Issue #2875033: Optimize joins and table selection in SQL entity query implementation,!2334Issue #3228209: Add hasRole() method to AccountInterface,!2062Issue #3246454: Add weekly granularity to views date sort,!1591Issue #3199697: Add JSON:API Translation experimental module,!1484Exposed filters get values from URL when Ajax is on,!1255Issue #3238922: Refactor (if feasible) uses of the jQuery serialize function to use vanillaJS,!1105Issue #3025039: New non translatable field on translatable content throws error,!1073issue #3191727: Focus states on mobile second level navigation items fixed,!10223132456: Fix issue where views instances are emptied before an ajax request is complete,!925Issue #2339235: Remove taxonomy hard dependency on node module,!877Issue #2708101: Default value for link text is not saved,!872Draft: Issue #3221319: Race condition when creating menu links and editing content deletes menu links,!844Resolve #3036010 "Updaters",!617Issue #3043725: Provide a Entity Handler for user cancelation,!579Issue #2230909: Simple decimals fail to pass validation,!560Move callback classRemove outside of the loop,!555Issue #3202493,!485Sets the autocomplete attribute for username/password input field on login form.,!30Issue #3182188: Updates composer usage to point at ./vendor/bin/composer
Hide whitespace changes
Inline Side-by-side
core/lib/Drupal/Core/File/FileSystemInterface.php
+ 2
2
View file @ e95e25eb
......@@ -37,14 +37,14 @@ interface FileSystemInterface {
*
* @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSION_REGEX
*/
public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess'];
public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess', 'phtml'];
/**
* The regex pattern used when checking for insecure file types.
*
* @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSIONS
*/
public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess)(\.|$)/i';
public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess|phtml)(\.|$)/i';
/**
* Moves an uploaded file to a new location.
......
core/modules/system/tests/src/Unit/Event/SecurityFileUploadEventSubscriberTest.php
+ 3
0
View file @ e95e25eb
......@@ -86,6 +86,9 @@ public function provideFilenames() {
'null bytes are removed' => ['foo' . chr(0) . '.txt' . chr(0), '', 'foo.txt'],
'dot files are renamed' => ['.git', '', 'git'],
'htaccess files are renamed even if allowed' => ['.htaccess', 'htaccess txt', '.htaccess_.txt', '.htaccess'],
'.phtml extension allowed with .phtml file' => ['foo.phtml', 'phtml', 'foo.phtml'],
'.phtml, .txt extension allowed with .phtml file' => ['foo.phtml', 'phtml txt', 'foo.phtml_.txt', 'foo.phtml'],
'All extensions allowed with .phtml file' => ['foo.phtml', '', 'foo.phtml_.txt', 'foo.phtml'],
];
}
......
  • catch @catch

    mentioned in commit 190c3118

     ·

    mentioned in commit 190c3118

    Toggle commit list
  • catch @catch

    mentioned in commit 0703c3f8

     ·

    mentioned in commit 0703c3f8

    Toggle commit list
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment