Loading core/lib/Drupal/Core/File/FileSystemInterface.php +2 −2 Original line number Diff line number Diff line Loading @@ -37,14 +37,14 @@ interface FileSystemInterface { * * @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSION_REGEX */ public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess']; public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess', 'phtml']; /** * The regex pattern used when checking for insecure file types. * * @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSIONS */ public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess)(\.|$)/i'; public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess|phtml)(\.|$)/i'; /** * Moves an uploaded file to a new location. Loading core/modules/system/tests/src/Unit/Event/SecurityFileUploadEventSubscriberTest.php +3 −0 Original line number Diff line number Diff line Loading @@ -86,6 +86,9 @@ public function provideFilenames() { 'null bytes are removed' => ['foo' . chr(0) . '.txt' . chr(0), '', 'foo.txt'], 'dot files are renamed' => ['.git', '', 'git'], 'htaccess files are renamed even if allowed' => ['.htaccess', 'htaccess txt', '.htaccess_.txt', '.htaccess'], '.phtml extension allowed with .phtml file' => ['foo.phtml', 'phtml', 'foo.phtml'], '.phtml, .txt extension allowed with .phtml file' => ['foo.phtml', 'phtml txt', 'foo.phtml_.txt', 'foo.phtml'], 'All extensions allowed with .phtml file' => ['foo.phtml', '', 'foo.phtml_.txt', 'foo.phtml'], ]; } Loading Loading
core/lib/Drupal/Core/File/FileSystemInterface.php +2 −2 Original line number Diff line number Diff line Loading @@ -37,14 +37,14 @@ interface FileSystemInterface { * * @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSION_REGEX */ public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess']; public const INSECURE_EXTENSIONS = ['phar', 'php', 'pl', 'py', 'cgi', 'asp', 'js', 'htaccess', 'phtml']; /** * The regex pattern used when checking for insecure file types. * * @see \Drupal\Core\File\FileSystemInterface::INSECURE_EXTENSIONS */ public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess)(\.|$)/i'; public const INSECURE_EXTENSION_REGEX = '/\.(phar|php|pl|py|cgi|asp|js|htaccess|phtml)(\.|$)/i'; /** * Moves an uploaded file to a new location. Loading
core/modules/system/tests/src/Unit/Event/SecurityFileUploadEventSubscriberTest.php +3 −0 Original line number Diff line number Diff line Loading @@ -86,6 +86,9 @@ public function provideFilenames() { 'null bytes are removed' => ['foo' . chr(0) . '.txt' . chr(0), '', 'foo.txt'], 'dot files are renamed' => ['.git', '', 'git'], 'htaccess files are renamed even if allowed' => ['.htaccess', 'htaccess txt', '.htaccess_.txt', '.htaccess'], '.phtml extension allowed with .phtml file' => ['foo.phtml', 'phtml', 'foo.phtml'], '.phtml, .txt extension allowed with .phtml file' => ['foo.phtml', 'phtml txt', 'foo.phtml_.txt', 'foo.phtml'], 'All extensions allowed with .phtml file' => ['foo.phtml', '', 'foo.phtml_.txt', 'foo.phtml'], ]; } Loading
