Download & Extend
Flexinode » Issues

Configurable allowed file extensions

Posted by Bèr Kessels on January 28, 2007 at 3:43pm
Project:Flexinode
Version:4.7.x-1.x-dev
Component:Field type: file
Category:task
Priority:critical
Assigned:Unassigned
Status:needs review

Issue Summary

Introduce file extensions config options.

My personal preference, however, is checks for mime-types, instead of extensions. Mime types are technically superior, modern desktop environments no longer use extensions (or at least don't care about them).

Login or register to post comments

Comments

#1

Posted by ahoeben on January 28, 2007 at 4:45pm

The patch presented here forces siteadmins to whitelist allowable extensions in order to prevent security issues.

Mime-types are nice and all, but AFAIK local files don't really tell what mime-type they have when they are uploaded.

#2

Posted by ahoeben on April 16, 2007 at 8:43am
Version:master» 4.7.x-1.x-dev

Attached patch is derived from the patch I mentioned. Allowing just any file to be uploaded is insecure, so this patch should go in ASAP.

AttachmentSize
field_file_options.patch 3.05 KB

#3

Posted by ahoeben on April 16, 2007 at 8:44am
Status:active» needs review

#4

Posted by ahoeben on April 16, 2007 at 8:48am
Priority:normal» critical

#5

Posted by ahoeben on April 26, 2007 at 11:39am

I hate bumping this issue like this, but can anybody at least review this patch?
It's an important security improvement.