Introduce file extensions config options.

My personal preference, however, is checks for mime-types, instead of extensions. Mime types are technically superior, modern desktop environments no longer use extensions (or at least don't care about them).

CommentFileSizeAuthor
#2 field_file_options.patch3.05 KBahoeben

Comments

ahoeben’s picture

The patch presented here forces siteadmins to whitelist allowable extensions in order to prevent security issues.

Mime-types are nice and all, but AFAIK local files don't really tell what mime-type they have when they are uploaded.

ahoeben’s picture

Version: master » 4.7.x-1.x-dev
StatusFileSize
new3.05 KB

Attached patch is derived from the patch I mentioned. Allowing just any file to be uploaded is insecure, so this patch should go in ASAP.

ahoeben’s picture

Status: Active » Needs review
ahoeben’s picture

Priority: Normal » Critical
ahoeben’s picture

I hate bumping this issue like this, but can anybody at least review this patch?
It's an important security improvement.