Come together with the global Drupal community in Rotterdam, 28 Sept – 1 Oct 2026. Sessions, contribution, connection, and Early Bird savings until 8 June.
By iarp on
I'm trying to upload a file called test.user.js
Home -> Administer -> Site Config -> i've added "js user .user.js" to the allowed uploads yet i keep getting this error:
For security reasons, your upload has been renamed to test.user_.js.txt and i've no idea why. Any clues?
Comments
To prevent XSS
Letting anyone upload arbitrary javascript code to your site automatically opens you up to "XSS", cross-site scripting:
http://en.wikipedia.org/wiki/Cross-site_scripting
So, the core upload.module doesn't let you do this. Similarly, you can't upload .php files without them getting automatically renamed, since that would give anyone the ability to execute arbitrary code on your site.
___________________
3281d Consulting
Is there a way to configure that behavior?
Other file types are also renamed (e.g. OpenOffice, PDF) :-(
Is there a way to configure that behavior?
Thanks in advance,
Pascal
Letting anyone upload
Which is another reason not to let just *anyone* upload in the first place.
Forest Mars
There should be lever to
There should be lever to disable this. I'm only user with permissions to upload and I do NOT need this.
I don't like this behaviour
I don't like this behaviour eighter. When I upload files .tar.gz or .tar.bz2 they get renamed.
This forum is not the best place to discuss this
If y'all don't like how this works and want to propose a new feature for Drupal core to change it (the setting to disable it) you should search the Drupal core issue queue for (an) existing issue(s) already posted about this. If, miraculously, no one else has ever proposed this, you can submit a new issue about it with your motivation for why it should be changed. Most core developers don't read the forums like this, and no one will ever know your thoughts about how file uploads work.
That said, I doubt you'll get much support for the idea, since this functionality is security-related, and it's rare that we think it's a good idea to add a setting to make Drupal less secure for some minor convenience gains. The cost of people who don't understand the risks of this setting getting it wrong and opening up sites to remote code execution exploits is very high, and the benefit of not having your files slightly renamed is pretty low. So, you'd have to be very convincing in your motivation for people to take it seriously. ;)
Cheers,
-Derek
___________________
3281d Consulting
I'm slightly furrowed at the
I'm slightly furrowed at the notion of predicating new issue reporting on the existence of miracles, but then as Pascal pointed out, once it happens it's not miraculous anymore.
Forest Mars
If working in a custom
If working in a custom module, you can php rename() the file after upload. I'm trying this in my form submit handler.