[TYPO3-core] RFC: #16136: Change behaviour of check for allowed file extensions -> make it possible to really restrict to certain file extensions for filemounts
Andreas Kiessling
kiessling at pluspol.info
Tue Oct 26 17:43:02 CEST 2010
Hi,
This is an SVN patch request.
Type: New feature / Change of behaviour
Bugtracker reference: http://bugs.typo3.org/view.php?id=16136
Branches: trunk
With the settings
$TYPO3_CONF_VARS['BE']['fileExtensions']['webspace']['allow'] (and
…['ftpspace']) you ought to be able to restrict what kind of filetypes
can be used in the filelist module. But after checking the function
"is_allowed" in the class t3lib_basicFileFunctions and the core api
documentation at around page 47, you will quickly realize, that the
"allow" setting is pretty useless, because the function interprets
"allow" only as a kind of override to "deny". So though you set it to
'pdf,png,gif', you can still upload everything (doc,docx etc), that is
not matched by "deny" and the additionally checked fileDenyPattern.
Quoting from the core api doc:
The control is done like this: if an extension matches 'allow' then the
check returns true. If not and an extension matches 'deny' then the
check return false. If no match at all, returns true.
Solution: clean up the is_allowed function and make it more strict
This behaviour should be changed, so that if there is a specific setting
for allowed file extensions, you can only use those in your
web/ftpspace. Also, the check for denied types should be done before the
allowed types, so you can not just override the setting. The flash
uploader already does it that way and lets you only select allowed
filetypes, but if you turn it off or don't have a flash plugin, the
default check is done.
The patch also includes a testcase for the new behaviour of the
is_allowed function. This is my first unit test, so any notes on that
are welcome.
Regards,
Andreas
-------------- next part --------------
An embedded and charset-unspecified text was scrubbed...
Name: 16136_v2.patch
URL: <http://lists.typo3.org/pipermail/typo3-team-core/attachments/20101026/982f186f/attachment.asc>
More information about the TYPO3-team-core
mailing list