Merge pull request #320 from chillu/pulls/allowed-extensions-blacklist

API Disallow HTML uploads by default, make extensions configurable
2024-10-22 17:05:42 +02:00 · 2015-08-28 15:15:37 +12:00 · 2015-08-28 15:15:37 +12:00 · c4a95d59dc
commit c4a95d59dc
parent 3f03e6401e 1794ef3594
3 changed files with 25 additions and 2 deletions
--- a/code/model/editableformfields/EditableFileField.php
+++ b/code/model/editableformfields/EditableFileField.php
@ -16,6 +16,15 @@ class EditableFileField extends EditableFormField {
 		'Folder' => 'Folder' // From CustomFields
 	);

+	/**
+	 * Further limit uploadable file extensions in addition to the restrictions
+	 * imposed by the File.allowed_extensions global configuration.
+	 * @config
+	 */
+	private static $allowed_extensions_blacklist = array(
+		'htm', 'html', 'xhtml', 'swf', 'xml'
+	);
+
 	/**
 	 * @return FieldList
 	 */
@ -44,9 +53,12 @@ class EditableFileField extends EditableFormField {
 			->setFieldHolderTemplate('UserFormsField_holder')
 			->setTemplate('UserFormsFileField');

-		// filter out '' since this would be a regex problem on JS end
 		$field->getValidator()->setAllowedExtensions(
-			array_filter(Config::inst()->get('File', 'allowed_extensions'))
+			array_diff(
+				// filter out '' since this would be a regex problem on JS end
+				array_filter(Config::inst()->get('File', 'allowed_extensions')),
+				$this->config()->allowed_extensions_blacklist
+			)
 		);

 		$folder = $this->Folder();
--- a/docs/en/installation.md
+++ b/docs/en/installation.md
@ -29,6 +29,9 @@ to any configured recipients.

 Allowed file extensions can be configured globally through `File.allowed_extensions`,
 and default to a safe set of files (e.g. disallowing `*.php` uploads).
+You can define further exclusions through the `EditableFileField.allowed_extensions_blacklist`
+configuration setting.
+
 The allowed upload size is determined by PHP configuration
 for this website (the smaller value of `upload_max_filesize` or `post_max_size`).

--- a/tests/EditableFormFieldTest.php
+++ b/tests/EditableFormFieldTest.php
@ -102,4 +102,12 @@ class EditableFormFieldTest extends FunctionalTest {
 		$this->assertNotContains('notallowedextension', $formField->getValidator()->getAllowedExtensions());
 	}

+	public function testFileFieldAllowedExtensionsBlacklist() {
+		Config::inst()->update('EditableFileField', 'allowed_extensions_blacklist', array('jpg'));
+		$fileField = $this->objFromFixture('EditableFileField', 'file-field');
+		$formField = $fileField->getFormField();
+
+		$this->assertNotContains('jpg', $formField->getValidator()->getAllowedExtensions());
+	}
+
 }