Hey,
anyone has ever tried to make CF upload any file type through a form? I work in a translation agency and need to prepare a form through which potential customers would ask for a price quotation uploading the text to be translated - which comes in hundreds of different file types. Thus I cannot just specify several file types to allow.
Please help,
THX,
d.
BTW: I tried wildcards *, they don't work either.
Hi,
this is not a much of a help, however I got to the same kinda problem too. It would help to have the possibility to restrict some file types for security reasons instead of allowing a list of them. This part is a bit illogical here.
Hi both,
Wild cards were included in an earler version of ChronoForms but Max removed them deliberately as they are a major security risk.
You could always hack the code to remove the test but it would be at your own risk.
Bob
PS I'm not sure that it would be possible to create a 'safe' exclusion list either :-(
Thank you for the hint. I'm no good at any php scripting, however I just came to the idea of changing "false" for "true" in the following part of chronoformuploads.php:
$fn = $chronofile['name'];
$fext = substr($fn, strrpos($fn, '.') + 1);
if ( !in_array(strtolower($fext), $allowed_s3) ) {
$fileok = true;
$MyForm->addErrorMsg($MyForm->formparams('upload_notallowed', 'Sorry, Your uploaded file type is not allowed'));
Is this usable?
Thank you,
David
Thank you Bob,
I'm really lost here. I used CF years ago, but now I've come to this situation which I don't know how to get out of. Other form extensions do not offer the same kind of functionality as CF :-(
David
Got an idea. Is there any security risk if data storage is not enabled and the uploaded file will only be transferred via e-mail?
Thank you,
David
Hi David,
I'm afraid that doesn't help. As I understand it the risk is in uploading a file in a format that is executable in some way.
Are there really hundreds of extensions? Do you have a list?
Bob
Well, yesterday my coworker and I spent over an hour preparing a list of over 120 file types just to come to the conclusion that this was really no solution at all. As a translation company, our customers send basically any editable files starting with office docs (just here we go over 30 types, not to mention file types of the less common office suites on different OS's), over DTP and CAD files, database files, any markup language files, source codes, scripts... it's really way too many. The point is, we need to be able to receive even files we don't know the type of yet, at least to inform the customer that we can't work with this file format :-(
David
Hi David,
You can try commenting out the code that checks the file type. The upload should work OK . . .
I'll keep looking around to see if I can see a better solution. Fredrik is usually better on these questions than I am.
Bob
Hi David & Bob,
Saying what is safe, and what is not, is not a trivial task in these matters. It is mainly because these systems may have so very different setups and configurations.
Only accepting files known to be safe on this system is a generally recommended approach. Even so, there are some well-known setups that are still vulnerable after verifying the file extension (Some setups with Apache and MultiView/Content Negotiation can be vulnerable by allowing filenames such as image.php.jpg to be parsed as php-code).
Best thing?
Make sure you store the uploaded files at a location where they're not remotely accessible, and don't store anything longer than needed.
As for not storing the file on the system, but merely emailing it:
PHP handles file uploads by creating a temporary file with the content at a given location. It is then up to the php-script to copy/move the file from that location to a permanent storage, and once the php-script is terminated, the temporary file is removed. However, during this time, the file is fully accessible just like any other file on the system. If this storage is located outside of the web server spaces, then this can usually be considered safe (by the assumption that there's no other means of invoking the file as an executable file).
/Fredrik
Thank you guys,
I really appreciate your help. We've made a final decision to put the form in an article explaining which file types can be sent through it, and asking the customer to send other files directly via e-mail. However, I'm still going to deal with the question in case it comes back in future.
Again, I really appreciate your help and will buy Bob a beer :-)
Thank you.
Hi David,
Much appreciated, thank you.
I was scouting around yesterday and saw the DropBox extenstion for Joomla! I haven't tested it but that - or something like it - looked as though it might be a way of off-loading some of the file risk from your server.
Bob
PS I do you DropBox with clients and think it's a great application - just the Joomla! bit I haven't tested.