[TYPO3-core] RFC: #16136: Change behaviour of check for allowed file extensions -> make it possible to really restrict to certain file extensions for filemounts

Andreas Kiessling kiessling at pluspol.info
Tue Oct 26 17:43:02 CEST 2010 

Hi,

This is an SVN patch request.

Type: New feature / Change of behaviour

Bugtracker reference: http://bugs.typo3.org/view.php?id=16136

Branches: trunk

With the settings 
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] (and 
…['ftpspace']) you ought to be able to restrict what kind of filetypes 
can be used in the filelist module. But after checking the function 
"is_allowed" in the class t3lib_basicFileFunctions and the core api 
documentation at around page 47, you will quickly realize, that the 
"allow" setting is pretty useless, because the function interprets 
"allow" only as a kind of override to "deny". So though you set it to 
'pdf,png,gif', you can still upload everything (doc,docx etc), that is 
not matched by "deny" and the additionally checked fileDenyPattern.

Quoting from the core api doc:
The control is done like this: if an extension matches 'allow' then the 
check returns true. If not and an extension matches 'deny' then the 
check return false. If no match at all, returns true.


Solution: clean up the is_allowed function and make it more strict

This behaviour should be changed, so that if there is a specific setting 
for allowed file extensions, you can only use those in your 
web/ftpspace. Also, the check for denied types should be done before the 
allowed types, so you can not just override the setting. The flash 
uploader already does it that way and lets you only select allowed 
filetypes, but if you turn it off or don't have a flash plugin, the 
default check is done.

The patch also includes a testcase for the new behaviour of the 
is_allowed function. This is my first unit test, so any notes on that 
are welcome.

Regards,
Andreas
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 16136_v2.patch
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101026/982f186f/attachment.asc>

More information about the TYPO3-team-core mailing list