TYPO3 Core

I want to prevent additional unwanted files from being uploaded, such as .exe, .zip, .iso etc. (this should be configurable). Right now, I can only do it AFAIK by changing the regex in fileDenyPattern.

My feature request¶

• add a "safe" configuration, so you can add additional file extensions, without having to change fileDenyPattern. This does not even have to be a regex or be added to fileDenyPattern, it could be a comma separated list of file extensions, which is used in FileNameValidator
• make it possible to use "explicit allow" or "explicit deny" here.
• "explicit allow" should probably not be the default yet, but could be in the future.

Background¶

Currently, there is a setting which is a bit hidden: $GLOBALS['TYPO3_CONF_VARS']['BE']['fileDenyPattern'], is used in FileNameValidator.

It is hidden, because it is not in the Default configuration and not visible when editing "Global configuration" in the BE.

I assume, that is for security reasons, that you don't accidentally mess up the regular expression, making the system less secure. In particular, it should not be possible to upload .php files, .htaccess files etc.

But, this also makes it difficult, in case you want to be more restrictive (!). You have to first find the hidden option and then edit the regex, hoping you don't break anything.