tonyair/silverstripe-userforms
1
0
Fork 0
mirror of https://github.com/silverstripe/silverstripe-userforms.git synced 2024-10-22 17:05:42 +02:00
Code Issues Projects Releases Wiki Activity

API Disallow HTML uploads by default, make extensions configurable

Browse Source 
HTML uploads are only relevant for SilverStripe 3.1,
since they're disallowed by default from 3.2 onwards in
the File.allowed_extensions configuration already.
This commit is contained in:
Ingo Schommer 2015-08-28 10:42:32 +12:00
parent 06b5886056
commit 1794ef3594
3 changed files with 25 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

16
code/model/editableformfields/EditableFileField.php
View File

@ -16,6 +16,15 @@ class EditableFileField extends EditableFormField {
'Folder' => 'Folder' // From CustomFields 'Folder' => 'Folder' // From CustomFields
); );
/**
* Further limit uploadable file extensions in addition to the restrictions
* imposed by the File.allowed_extensions global configuration.
* @config
*/
private static $allowed_extensions_blacklist = array(
'htm', 'html', 'xhtml', 'swf', 'xml'
);
/** /**
* @return FieldList * @return FieldList
*/ */
@ -44,9 +53,12 @@ class EditableFileField extends EditableFormField {
->setFieldHolderTemplate('UserFormsField_holder') ->setFieldHolderTemplate('UserFormsField_holder')
->setTemplate('UserFormsFileField'); ->setTemplate('UserFormsFileField');
// filter out '' since this would be a regex problem on JS end
$field->getValidator()->setAllowedExtensions( $field->getValidator()->setAllowedExtensions(
array_filter(Config::inst()->get('File', 'allowed_extensions')) array_diff(
// filter out '' since this would be a regex problem on JS end
array_filter(Config::inst()->get('File', 'allowed_extensions')),
$this->config()->allowed_extensions_blacklist
)
); );
$folder = $this->Folder(); $folder = $this->Folder();

3
docs/en/installation.md
View File

@ -29,6 +29,9 @@ to any configured recipients.
Allowed file extensions can be configured globally through `File.allowed_extensions`, Allowed file extensions can be configured globally through `File.allowed_extensions`,
and default to a safe set of files (e.g. disallowing `*.php` uploads). and default to a safe set of files (e.g. disallowing `*.php` uploads).
You can define further exclusions through the `EditableFileField.allowed_extensions_blacklist`
configuration setting.
The allowed upload size is determined by PHP configuration The allowed upload size is determined by PHP configuration
for this website (the smaller value of `upload_max_filesize` or `post_max_size`). for this website (the smaller value of `upload_max_filesize` or `post_max_size`).

8
tests/EditableFormFieldTest.php
View File

@ -102,4 +102,12 @@ class EditableFormFieldTest extends FunctionalTest {
$this->assertNotContains('notallowedextension', $formField->getValidator()->getAllowedExtensions()); $this->assertNotContains('notallowedextension', $formField->getValidator()->getAllowedExtensions());
} }
public function testFileFieldAllowedExtensionsBlacklist() {
Config::inst()->update('EditableFileField', 'allowed_extensions_blacklist', array('jpg'));
$fileField = $this->objFromFixture('EditableFileField', 'file-field');
$formField = $fileField->getFormField();
$this->assertNotContains('jpg', $formField->getValidator()->getAllowedExtensions());
}
} }