By Nepherim on

I'm in the process of migrating a b2evolution sites over to Drupal, and hit some problems regarding file uploads, and also I suspect, MIME types.

Use Case
The base b2evolution site, with an example of what I'm trying to achieve is here: http://solidgone.org/jqtoc

1] I'd like to be able to upload .html, .css, and .js, and allow people to view those files. For example, letting people download the .js and .css. (Refer to the "Javascript" and "css" download links from the site above.)

2] I'd like to be able to post a demo html file that will execute when clicked. (Refer to the "demo" link on the site above.)

3] There will be two of us who can post content on the Drupal version of the site, so I'm not too concerned about posters spoofing mime or file types. However, I'd like to avoid having to FTP content outside of Drupal if possible.

Current Behavior
a] when I upload files of type css/js/html, using the Attach functionality, the filenames are changed to include .txt. I've added those file types to admin/settings/uploads.

I can work around the problem by manually uploading the file, thus retaining the extensions, but would like to know if there's a way to do this either from Drupal, or via a module. I'm not sure, but perhaps I need some way to define allowed file types?

Thanks,

~ ~ Dave

Categories: Drupal 6.x

Comments

styro’s picture

styro commented

a] when I upload files of type css/js/html, using the Attach functionality, the filenames are changed to include .txt. I've added those file types to admin/settings/uploads.

I'm pretty sure (corrections welcome) that is a recent (and intentional) change to Drupal. It is very hard to allow people to upload those filetypes without opening up potential XSS vulnerabilities.

--
Anton
New to Drupal? | Troubleshooting FAQ
Example knowledge base built with Drupal

Nepherim’s picture

Nepherim commented

I read some posts going back to 2006, so it's clearly a tough problem to solve. I have to imagine there is some work-around that lets people upload non-image content, without forcing a name change. Not every Drupal implementation is open to the public -- some are run by individuals who can trust themselves. :)

Nepherim’s picture

Nepherim commented

Just to clarify, I'm looking for a way to upload content via Drupal (or a Module) without triggering the name changing behavior (adding a "_" and a .txt extension). Perhaps by adding a list of known extensions, or simply by removing the check altogether, since I have a known trusted set of authors.

UPDATE: Closest I can find is http://drupal.org/node/45318 -- but this is from 2006, and is changing the Drupal core files. Is there a better mechanism in 6.x?

Nepherim’s picture

Nepherim commented

Well looks like we need to patch the core in order to prevent files being renamed and having .TXT appended. Nice. This is painful because it's not obvious to new users why some files have .TXT appended to them, nor is it obvious how to work around this in cases where they may want to do that. I understand and agree that we need this behavior enable by default but having a permission when needed seems like a no brainer. I don't understand why this seems to have been patched numerous times, from 2005 to 2008, and still isn't in the core. Go figure.

Future Reference

For anyone in the future:

  • this patch seems to be the most recent http://drupal.org/node/144760#comment-701999, but I'm not sure how to find a specific patch associated with an issue. In the meantime I made my own patch, below.
  • http://drupal.org/node/41561#comment-76739 is no longer valid -- the module no longer exists. However, file.inc seems to be filtering "php|pl|py|cgi|asp|js" and applying the .txt extension, which gave me a clue for my patch below.

A Workaround Patch

So using the technique from a post dating from 2005(!!!), I made the changes below.

Note that I suspect you should not make these changes to the core files but I'm not yet sure how to make fine-grained (sub-function level) alterations to the core, so buyer-beware.

  1. Add a new upload permission: In the modules directory find the file upload.module, locate upload_perm() and add an extra permission 'upload any filetype':
    function upload_perm() {
  return array('upload files', 'view uploaded files', 'upload any filetype');
}
  2. Allow roles with 'upload any filetype' to upload any filetypes: In the includes directory find the file file.inc, locate file_save_upload() and at line 533 (as of 6.2) change from:
        if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {

    ...to this, adding the 'upload any filetype' condition at the end:

        if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt') && (!user_access('upload any filetype')) ) {
  3. Assign the permission:You can now navigate through your admin panel to admin/user/permissions and grant this permission to one or more roles.

That's it. Hope someone else finds this useful.