-
Notifications
You must be signed in to change notification settings - Fork 543
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
The Filemanager component does not allow uploading of specific extensions. #3493
Comments
@Raceeend This has been mentioned. Currently the FileTypes are listed as a Const string in Shared
These need to be made soft and amendable by the Host and/or Admin. |
It would be nice to move them as settings in the |
In appsettings or somewhere in the database would be nice solution |
The general philosophy in Oqtane is to avoid storing settings in appsettings.json, as appsettings does not support multi-tenancy and is not easily upgradeable. The list of file extensions should be managed per Site - and could be stored in the SiteSettings (much like a variety of other settings). The default should still rely on the UploadableFiles constant as the primary goal is to ensure that file uploads in the framwork are secure - so the default list only includes files which are considered safe. If a user specifies additional file extensions for their site, they are assuming responsibility for the additional risk. File uploads are one of the top causes of security vulnerabilities in web applications. |
Exactly, but it's the host responsibility to manage such media settings if we don't prefer the |
Similar to Alias settings, the Allowable File Extensions option could be managed in the Site Settings UI - but only editable by Host Users. |
@sbwalker we did discuss moving the extensions to the Site Settings UI, I think in version 3, but I guess it fell through the net. |
@sbwalker I have started this |
Implementation PR complete #3528 |
File Extension management - site wide. Fix for #3493
completed in #3528 |
The Filemanager component has a test that cannot be modified via the component's parameters. For a project, files with the .cor extension must be uploaded. This extension is rejected because it is not included in Constants.UploadableFiles. In my opinion, the best solution would be to add an extra parameter to the filemanager. If this parameter is not empty, it will be used to check the extensions.
Used version: 4.0.6
The text was updated successfully, but these errors were encountered: