Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

The Filemanager component does not allow uploading of specific extensions. #3493

Closed
Raceeend opened this issue Nov 21, 2023 · 10 comments
Closed

The Filemanager component does not allow uploading of specific extensions. #3493

Raceeend opened this issue Nov 21, 2023 · 10 comments

Comments

@Raceeend
Copy link
Contributor

Raceeend commented Nov 21, 2023
edited
Loading

The Filemanager component has a test that cannot be modified via the component's parameters. For a project, files with the .cor extension must be uploaded. This extension is rejected because it is not included in Constants.UploadableFiles. In my opinion, the best solution would be to add an extra parameter to the filemanager. If this parameter is not empty, it will be used to check the extensions.
Used version: 4.0.6
@leigh-pointer
Copy link
Contributor

@Raceeend This has been mentioned. Currently the FileTypes are listed as a Const string in Shared

public const string ImageFiles = "jpg,jpeg,jpe,gif,bmp,png,ico,webp";
public const string UploadableFiles = ImageFiles + ",mov,wmv,avi,mp4,mp3,doc,docx,xls,xlsx,ppt,pptx,pdf,txt,zip,nupkg,csv,json,xml,rss,css";

These need to be made soft and amendable by the Host and/or Admin.

@hishamco
Copy link
Contributor

It would be nice to move them as settings in the appsettings.json instead of constants, @sbwalker if you agree with the change I can push a PR

@Raceeend
Copy link
Contributor Author

In appsettings or somewhere in the database would be nice solution

@sbwalker
Copy link
Member

sbwalker commented Nov 21, 2023
edited
Loading

The general philosophy in Oqtane is to avoid storing settings in appsettings.json, as appsettings does not support multi-tenancy and is not easily upgradeable. The list of file extensions should be managed per Site - and could be stored in the SiteSettings (much like a variety of other settings). The default should still rely on the UploadableFiles constant as the primary goal is to ensure that file uploads in the framwork are secure - so the default list only includes files which are considered safe. If a user specifies additional file extensions for their site, they are assuming responsibility for the additional risk. File uploads are one of the top causes of security vulnerabilities in web applications.

@hishamco
Copy link
Contributor

Exactly, but it's the host responsibility to manage such media settings if we don't prefer the appsettings.json

@sbwalker
Copy link
Member

sbwalker commented Nov 21, 2023
edited
Loading

Similar to Alias settings, the Allowable File Extensions option could be managed in the Site Settings UI - but only editable by Host Users.

@leigh-pointer
Copy link
Contributor

@sbwalker we did discuss moving the extensions to the Site Settings UI, I think in version 3, but I guess it fell through the net.

@leigh-pointer
Copy link
Contributor

@sbwalker I have started this
image

@leigh-pointer
Copy link
Contributor

Implementation PR complete #3528

sbwalker added a commit that referenced this issue Dec 4, 2023
@sbwalker
Merge pull request #3528 from leigh-pointer/FileExtentions
7550a19 
File Extension management - site wide. Fix for #3493
@sbwalker
Copy link
Member

sbwalker commented Dec 4, 2023

completed in #3528

@sbwalker sbwalker closed this as completed Dec 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@Raceeend @hishamco @sbwalker @leigh-pointer