security message after upgrade to 9.5.17
The error messages you are receiving are part of a security feature that has been integrated into recent TYPO3 v9.5.17 and v10.4.2 releases, see https://docs.typo3.org/c/typo3/cms-core/master/en-us/Changelog/9.5.x/Feature-91354-IntegrateServerResponseSecurityChecks.html
Basically it means that your current server system
- is evaluating files like
test.php.txt(.phpnot at the end of the filename) still as PHP content - this can cause a security vulnerability in case somebody manages to upload a similar file (which might be considered astext/plainfile, but is actually executable PHP code)- potentially remote code execution
- is serving files like
test.html.wrong(.htmlnot at the end of the filename) still astext/htmlwhich triggers the browser to execute HTML tags and potential dangerous<script>tags- potentially cross-site scripting
Call for action
In case this is a live and in production server, you should adjust your web server configuration.
The fix is to limit those web server mime-type mapping only to those files having e.g. .html at the very end, like shown in this example for the Apache HTTP web server
<FilesMatch ".+\.html?$">
AddType text/html .html .htm
</FilesMatch>
Find more details and explanation in the TYPO3 security guidelines for server admins at https://docs.typo3.org/m/typo3/reference-coreapi/10.4/en-us/Security/GuidelinesAdministrators/Index.html#file-extension-handling
Update May 17th, 2020
https://gist.github.com/ohader/11d737de95895f8ca16495a8b7001c45 contains examples how to adjust an .htaccess file in case settings cannot be changed on a (shared) hosting environment.
<IfModule mod_mime.c>
RemoveType .html .htm
<FilesMatch ".+\.html?$">
AddType text/html .html
AddType text/html .htm
</FilesMatch>
RemoveType .svg .svgz
<FilesMatch ".+\.svgz?$">
AddType image/svg+xml .svg
AddType image/svg+xml .svgz
</FilesMatch>
RemoveHandler .php
<FilesMatch ".+\.php$">
# IMPORTANT: `php-fcgid` is using in THIS example
# Most probably is different for each individual configuration
SetHandler php-fcgid
# SetHandler php-script
# SetHandler application/x-httpd-php
</FilesMatch>
</IfModule>
Current handler identifier php-fcgid was identified for the example above using a phpinfo(); and searching for $_SERVER[REDIRECT_HANDLER]:
$_SERVER['REDIRECT_HANDLER'] php-fcgid
The following solution was recommended to me by the support team of ALL-INKL.COM. I had to contact them, because the remove statements (RemoveHandler .php) did not work.
<FilesMatch "\.(php[0-9,x]*|phtml)\.">
SetHandler text/plain
</FilesMatch>
Thanks to the ALL-INKL.COM-Support-Team
For shared hosting it can be quite hard to find out the correct handler for php.
some specialty for 1&1 Ionos, might be even special to this particular shared hosting package:
shared hosting with php 7.3 (confirmed in phpinfo), but $_SERVER['REDIRECT_HANDLER'] gives "x-mapp-php5" (not sure why, could be that the hosting is running for many years and was upgraded to php 7 and they somehow alias it for whatever reason)
The working solution for me was:
<IfModule mod_mime.c>
RemoveType .html .htm
<FilesMatch ".+\.html?$">
AddType text/html .html
AddType text/html .htm
</FilesMatch>
RemoveType .svg .svgz
<FilesMatch ".+\.svgz?$">
AddType image/svg+xml .svg
AddType image/svg+xml .svgz
</FilesMatch>
RemoveHandler .php
RemoveType .php
<FilesMatch ".+\.php$">
AddType x-mapp-php5 .php
AddHandler x-mapp-php5 .php
</FilesMatch>
</IfModule>
I had to remove both the handler/type and add them again within the filesmatch. Took me quite a while to get this working, hope this helps.
For host-europe $_SERVER['REDIRECT_HANDLER'] was empty, php7.4:
<IfModule mod_mime.c>
....
RemoveHandler .php
RemoveType .php
<FilesMatch ".+\.php$">
# only this handler seems to work
AddType application/x-httpd-php .php
AddHandler application/x-httpd-php .php
</FilesMatch>
</IfModule>