Allow any file extension for upload

11 posts by 3 authors in: Forums > CMS Builder
Last Post: December 12, 2008   (RSS)

By aev - December 10, 2008

Hi!

Is it possible to allow any file extension for a upload field?
Similar to unlimited size.

-aev-

Re: [aev] Allow any file extension for upload

By Dave - December 10, 2008

Also, "any extension" would allow the upload of php, cgi, shtml, exe, etc files which could pose a security risk.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Allow any file extension for upload

By aev - December 11, 2008

Hi!

Is this still a security risk if the client is "trusted"? Or is it possible for not logged in people to somehow upload files?

-aev-

Re: [aev] Allow any file extension for upload

By ross - December 11, 2008

Hi

It's still a security risk in that the code in the files they are uploading could lead to problems. CMS Builder won't be scanning your files for malicious code or anything like that. It will just upload the file.

But you can add any extension to that list you like so it ends up being what ever you like :).
-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

Re: [ross] Allow any file extension for upload

By aev - December 11, 2008


Can we disable the extension check if only highly trusted users are editing the site?

If yes, how do we do it?

-aev-

Re: [aev] Allow any file extension for upload

By ross - December 11, 2008

Hi

Were you thinking something like this:

if user is and admin, allow any file type?

Either way, we'll have to ask Dave about this one but we can talk it out before he gets in today :).
-----------------------------------------------------------
Cheers,
Ross Fairbairn - Consulting
consulting@interactivetools.com

Hire me! Save time by getting our experts to help with your project.
Template changes, advanced features, full integration, whatever you
need. Whether you need one hour or fifty, get it done fast with
Priority Consulting: http://www.interactivetools.com/consulting/

Re: [ross] Allow any file extension for upload

By aev - December 11, 2008

Yes something like that.

-aev-

Re: [aev] Allow any file extension for upload

By Dave - December 12, 2008

If you're comfortable editing the code you can try this:

- open /lib/menus/default/uploadForm_functions.php
- search for 'allowedExtensions'
- add the code in red:
// check allowed extensions
$validExt = preg_split("/\s*\,\s*/", strtolower($fieldSchema['allowedExtensions']));
$fileExt = pathinfo(strtolower($uploadInfo['name']), PATHINFO_EXTENSION);
$encodedValidExt = htmlspecialchars( $fieldSchema['allowedExtensions'] );
if (!in_array('*', $validExt) && !in_array($fileExt, $validExt)) {
$fileErrors .= sprintf(__("File '%s' isn't allowed (valid file extensions: %s)."), $encodedFilename, $encodedValidExt);
$fileErrors .= "<br/>\n";
}


- Change the allowed file extensions to: *

Let me know if that works how you want, if it does I'll leave it in the code for the next version.
Dave Edis - Senior Developer
interactivetools.com

Re: [Dave] Allow any file extension for upload

By aev - December 12, 2008

Hi Dave.

I added your code and it works perfectly! Great!

-aev-