Project

General

Profile

Actions

Feature #102644

open

Make it easier to restrict uploadable file types / extensions (in addition to fileDenyPattern)

Added by Sybille Peters 6 months ago.

Status:
New
Priority:
Should have
Assignee:
-
Category:
Backend API
Target version:
-
Start date:
2023-12-09
Due date:
% Done:

0%

Estimated time:
PHP Version:
Tags:
security, fileDenyPattern, file upload
Complexity:
Sprint Focus:

Description

I want to prevent additional unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.

My feature reqeust

  • add a "safe" configuration, so you can add additional file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator
  • make it possible to use "explicit allow" instead of "explicit deny" here. This should probably not be the default yet, but could be in the future.

Background

Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.

It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.

I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.

But, this also makes it difficult, in case you want to be more restrictive (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.

No data to display

Actions

Also available in: Atom PDF