[BUGFIX] Denied file extensions still shown in upload forms

The list of denied file extensions does not contain a dot, but our
fileDenyPattern by default starts with a dot. Therefore, although a
check is performed, the file extensions will still be displayed even
though uploading files with the extension is forbidden by
fileDenyPattern.

This commit adds the dot before the extension when performing the 
check, effectively hiding forbidden extensions.

Resolves: #72803
Releases: master, 7.6
Change-Id: I2ec3d02e096b46309932604a53ea4c416ba9812a
Reviewed-on: https://review.typo3.org/46072


Reviewed-by: Andreas Wolf <andreas.wolf@typo3.org>
Tested-by: Andreas Wolf <andreas.wolf@typo3.org>

typo3/sysext/backend/Classes/Controller/File/CreateFolderController.php

@@ -223,7 +223,7 @@ class CreateFolderController extends AbstractModule
             $fileExtList = array();
             $onlineMediaFileExt = OnlineMediaHelperRegistry::getInstance()->getSupportedFileExtensions();
             foreach ($onlineMediaFileExt as $fileExt) {
-                if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+                if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
                     $fileExtList[] = '<span class="label label-success">' . strtoupper(htmlspecialchars($fileExt)) . '</span>';
                 }
             }
@@ -262,7 +262,7 @@ class CreateFolderController extends AbstractModule
             $fileExtList = array();
             $textFileExt = GeneralUtility::trimExplode(',', $GLOBALS['TYPO3_CONF_VARS']['SYS']['textfile_ext'], true);
             foreach ($textFileExt as $fileExt) {
-                if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+                if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
                     $fileExtList[] = '<span class="label label-success">' . strtoupper(htmlspecialchars($fileExt)) . '</span>';
                 }
             }

typo3/sysext/recordlist/Classes/View/FolderUtilityRenderer.php

@@ -122,7 +122,7 @@ class FolderUtilityRenderer
         // Create a list of allowed file extensions with the readable format "youtube, vimeo" etc.
         $fileExtList = array();
         foreach ($allowedExtensions as $fileExt) {
-            if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)) {
+            if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)) {
                 $fileExtList[] = '<span class="label label-success">'
                     . strtoupper(htmlspecialchars($fileExt)) . '</span>';
             }
@@ -182,7 +182,7 @@ class FolderUtilityRenderer
         $fileExtList = array();
         $onlineMediaFileExt = OnlineMediaHelperRegistry::getInstance()->getSupportedFileExtensions();
         foreach ($onlineMediaFileExt as $fileExt) {
-            if (GeneralUtility::verifyFilenameAgainstDenyPattern($fileExt)
+            if (GeneralUtility::verifyFilenameAgainstDenyPattern('.' . $fileExt)
                 && (empty($allowedExtensions) || in_array($fileExt, $allowedExtensions, true))
             ) {
                 $fileExtList[] = '<span class="label label-success">'