DOC Create dedicated article about limiting allowed file types (#9505)

docs/en/02_Developer_Guides/14_Files/03_File_Security.md

@@ -318,25 +318,6 @@ to put protected files into `/sites/myapp/protected` with the below `.env` setti
 SS_PROTECTED_ASSETS_PATH="/sites/myapp/protected"
 ```
 
-### Configuring: File types {#file-types}
-
-In addition to configuring file locations, it's also important to ensure that you have allowed the
-appropriate file extensions for your instance. This can be done by setting the `File.allowed_extensions`
-config.
-
-```yaml
-SilverStripe\Assets\File: 
-  allowed_extensions: 
-    - 7zip 
-    - xzip
-```
-
-[warning]
-Any file not included in this config, or in the default list of extensions, will be blocked from
-any requests to the assets directory. Invalid files will be blocked regardless of whether they
-exist or not, and will not invoke any PHP processes.
-[/warning]
-
 ### Configuring: Protected file headers {#protected_file_headers}
 
 In certain situations, it's necessary to customise HTTP headers required either by

docs/en/02_Developer_Guides/14_Files/06_Allowed_file_types.md

@@ -0,0 +1,92 @@
+---
+title: Allowed file types
+summary: Control the type of files that can be stored in your Silverstripe CMS project
+icon: lock
+---
+
+# Allowed file types
+
+Not every kind of file should be stored in a CMS's asset management system. For example, allowing users to upload JavaScript files could lead to a risk of Cross-Site Scripting (XSS) attacks.
+
+Out of the box, your Silverstripe CMS project will limit what type of files can be uploaded into the assets management section. There's two type of restriction in place based on:
+* the extensions of the files
+* the MIME type of the files.
+
+## File extensions validation
+
+The `silverstripe/assets` module ships with a whitelist of allowed file extensions. Any file with an extensions not in this whitelist will not be allowed to be stored in Silverstripe's assets management system.
+
+The whitelist is controlled by the `SilverStripe\Assets\File::$allowed_extensions` variable.
+
+You can whitelist additional file extensions by adding them in your YML configuration.
+```yml
+SilverStripe\Assets\File:
+  allowed_extensions:
+    - 7zip
+    - xzip
+```
+
+Any file not included in this config, or in the default list of extensions, will be blocked from
+any requests to the assets directory. Invalid files will be blocked regardless of whether they
+exist or not, and will not invoke any PHP processes.
+
+[warning]
+While SVG images are a popular format to display images on the web, they are not included in the file extension whitelist because they can contain arbitrary scripts that will be executed when the image is rendered in a browser. Allowing CMS users to upload SVG images would be a significant XSS risk. We strongly advise developers against whitelisting the `svg` file extension.
+[/warning]
+
+You can also remove pre-existing entries from the whitelist by setting them to `false`.
+
+```yml
+SilverStripe\Assets\File:
+  allowed_extensions:
+    zip: false
+```
+
+## MIME type validation
+
+Another type of validation that can be applied to files uploaded in Silverstripe CMS is MIME type validation. When MIME type validation is enabled, Silverstripe will analyse the content of files at upload time to determine their MIME type and will reject files with invalid type.
+
+MIME type validation also uses a whitelist of allowed MIME types.
+
+### Enabling MIME type validation
+
+You need to install the `silverstripe/mimevalidator` module in your project to enable MIME type validation. If your project uses `silverstripe/recipe-core` 4.6.0 or greater, or any version of the Common Web Platform, the `silverstripe/mimevalidator` module will already be installed and enabled.
+
+Look at the `app/_config/mimevalidator.yml` to view the default configuration.
+
+You can explicitly require the module by running this command
+
+```sh
+composer require silverstripe/mimevalidator
+```
+
+#### Enable globally
+
+In your `app/_config/config.yml` file:
+
+```yml
+SilverStripe\Core\Injector\Injector:
+  SilverStripe\Assets\Upload_Validator:
+    class: SilverStripe\MimeValidator\MimeUploadValidator
+```
+
+#### Enable on an individual upload field
+
+```php
+$field = UploadField::create();
+$field->setValidator(MimeUploadValidator::create());
+```
+
+#### Adding MIME types
+
+By default MIME types are checked against `HTTP.MimeTypes` config set in framework. This can be limiting as this only
+allows for one MIME type per extension. To allow for multiple MIME types per extension, you can add these in your YAML
+config as below:
+
+```yml
+SilverStripe\MimeValidator\MimeUploadValidator:
+  MimeTypes:
+    ics:
+      - 'text/plain'
+      - 'text/calendar'
+```

docs/en/04_Changelogs/4.6.0.md

@@ -4,6 +4,7 @@
 
  * [MySQL tables are auto-converted from MyISAM to InnoDB](#myisam)
  * [Editing files directly in the insert-media modal](#in-modal-editing)
+ * [MIME Type validation now a core module](#mime-validator)
 
 ## MySQL tables are auto-converted from MyISAM to InnoDB {#myisam}
 
@@ -68,6 +69,13 @@ make sure your customisations still work as expected.
 If your project uses the popular [jonom/focuspoint](https://github.com/jonom/silverstripe-focuspoint) community
 module, you should upgrade it as well.
 
+## MIME Type validation now a core module {#mime-validator}
+
+`silverstripe/mimevalidator` is now a core module and will ship by default on new projects. Projects referencing `silverstripe/recipe-core` will automatically install `silverstripe/mimevalidator` when they upgrade to 4.6.0.
+
+Read [Allowed file types](Developer_Guides/Files/Allowed_file_types) in the Silverstripe CMS doc for all the details.
+
 <!--- Changes below this line will be automatically regenerated -->
 
 <!--- Changes above this line will be automatically regenerated -->
+