Option to configure dangerous extensions

See all posts Reply

Option to configure dangerous extensions new!
by philipp, 11 years, 9 months ago
thank you for your great upload-class. i would like to propose two new features:

1. a methode to configure which extensions are dangerous to upload. i.e. adding .inc to the default set of dangerous extensions.

2. a methode, which checks, if an uploaded file could be dangerous BEFORE processing it. so i could check the uploaded file and decide, if i want to save the name in a database. if i could do this before processing the file, i save some performance and i do not need to unlink the file, which has after processing an other extension (.txt) as the original uploaded file.

what do you mean about these features?Reply
Re: Option to configure dangerous extensions new!
by colin, 11 years, 9 months ago
1. You can't rely on file extensions. Instead of blacklisting extensions, you can blacklist MIME types, using allowed and forbidden.

2. It is not possible with the class as it is written now. But this should be doable in the upcoming compete rewrite of the class. That said, you can remove most of the "dangerous checking" if you wish (see no_script for instance)Reply
Re: Option to configure dangerous extensions new!
by philipp, 11 years, 9 months ago
maybe i missunderstanding.
1. the apache configuration uses extensions to determine which file should be parsed as i.e. php-file. and your upload-class changes the extension of some dangerous text-files. i would like to configure which extension will be transformed.
2. thank you.Reply
Re: Option to configure dangerous extensions new!
by colin, 11 years, 9 months ago
OK, I understand what you mean. It is quite complex to add options for that, as it checks on the MIME type, on the extension, etc... I will see if I can add this feature in a next release.Reply