Support

By default, no, it does not. Remember, I am the same person who wrote Admin Tools Professional and contributed Joomla! Update's extract.php.

You can, however, misconfigure Admin Tools' .htaccess Maker to block access to that file.

Go to Components, Admin Tools for Joomla, Control Panel, .htacess Maker, and find the “Allow direct access to these files” setting. There should be an entry reading

administrator/components/com_joomlaupdate/extract.php

This allows Joomla! Update to work, explicitly allowing access to its extract.php file. If you had removed that line, add it back and click on Save and Create .htaccess to update your site's .htaccess file.

OK, a few things here.

As I explained, I wrote Joomla's extract.php myself, along with the error messages (and their troubleshooting instructions), and a lot of troubleshooting documentation (which never made it to the official docs). You can read all of it in https://github.com/joomla/joomla-cms/pull/35388. You can also see that I've clearly explained the only change required in Admin Tools is adding extract.php to the list of allowed files — which we confirmed is the case, as per our immediately previous posts.

You asked me if there's something in the .htaccess Maker which would prevent access to extract.php. The answer is no, by default there is not. Now you can see the public discussion where this is explained.

However, there are numerous ways the extract.php file could be blocked. To begin with, you can add custom code in the .htaccess Maker so by definition you can configure it to block extract.php (intentionally, or by accident). Between people maintaining their custom .htaccess file and the possibility that removing the default setting and/or adding custom .htaccess code in Admin Tools' .htaccess Maker there's a good change that a .htaccess file could be the reason of the problem, hence the recommendation I put in that error message.

So, yes, sure, do try renaming the .htaccess file. You don't need my permission. As a matter of fact, you've got me prodding you to do this through the message I put in Joomla! itself :)

There are more ways you can break communication with extract.php.

Browser plugins like NoScript (and other ad blockers) can do idiotic things like that. I always mention NoScript in situations like that because its default settings are such that break everything, all the time as I have confirmed myself.

Using the System - HTTP Headers plugin lets you set up the Content-Security-Policy HTTP header. It's also the easiest way to break your site in subtle, hard to predict, and harder to debug ways.

There are other ways this can break, e.g. the administrator/components/com_joomlaupdate directory being unwritable, therefore not allowing the creation of the update.php file which is necessary to run the update (it contains the temporary password used to authenticate your browser to extract.php). Or maybe your host sees requests coming from your IP "too fast" and blocks them. Or your host has wrongly marked extract.php as potential malware and has renamed it, deleted it, or blocked access to it. We've actually seen all of that.