Why is it not using the list of filters here #35001

Why are the two lists different eg php5, php6 etc

Surely there should be just one list

I have added the extensions for php3-8, good catch! @brianteeman @richard67

I have tested this item ✅ successfully on 16cf307

Tested as described in testing instructions.

not sure where your list comes from but I would add
.MSI – A Microsoft installer file.
.JAR – .JAR files contain executable Java code. If you have the Java runtime installed, .JAR files will be run as programs.

but there are a lot more https://www.lifewire.com/list-of-executable-file-extensions-2626061

not sure where your list comes from but I would add
.MSI – A Microsoft installer file.
.JAR – .JAR files contain executable Java code. If you have the Java runtime installed, .JAR files will be run as programs.

but there are a lot more https://www.lifewire.com/list-of-executable-file-extensions-2626061

Don't know ether but msi (not sure about jar) will not be execute by a webserver.

Don't know ether but msi (not sure about jar) will not be execute by a webserver.

Neither would many of the others (unless it is a windows webserver)

@brianteeman @HLeithner added MSI and JAR

I still dont understand why this list is different to the list in the other PR or why this list is even used when the other list could be.

One list, less mistakes.

@SniperSister maybe we should create the static list of executables in the framework input filter package and then they can be maintained as a single list that way as @brianteeman says rather than having our duplicate here in the MediaHelper class?

@wilsonge thats what I keep saying but get ignored #35001 is a partially identical list (and should be identical)

@wilsonge it's not a duplicate, it's only partially identical with the list in the InputFilter focussing on file types that might be executable directly within the web server, resulting in code executions. The list in the mediahelper also includes file types that are able to execute code not only in the webserver but also in a general OS scenario or even in the browser

still better to have just one to avoid mistakes or just have the list in mediahelper extend the inputfilter

/me doesnt see/agree with your supposed differences - especially for windows servers

or just have the list in mediahelper extend the inputfilter

That's fine for me

@wilsonge your call. Let me know how you want it solved.

or just have the list in mediahelper extend the inputfilter

This makes sense to me too. Let's go with it!

Whilst your at it can you just expand the comment on the class property to mention your explanation so it's super clear for people in the future. Thankyou :)

@SniperSister please can you look at this. It needs to be ready by tuesday for the final RC or it's not going in :)

@wilsonge done!

I have tested this item ✅ successfully on 4b6b32e

Checked with values from both arrays (input filter and media helper) that the manipulated request results in a 500 response and the file is not renamed.