This site requires you to update your browser. Your browsing experience maybe affected by not having the most up to date version.

We've moved the forum!

Please use forum.silverstripe.org for any new questions (announcement).
The forum archive will stick around, but will be read only.

You can also use our Slack channel or StackOverflow to ask for help.
Check out our community overview for more options to contribute.

Form Questions /

Moderators: martimiz, Sean, Ed, biapar, Willr, Ingo, swaiba

removed 'html' extension from the list of 'allowed_extensions' but still can upload HTML files into assets folder

8 Posts 2781 Views

MIT

Community Member, 5 Posts

3 July 2015 at 11:34am

Edited: 06/07/2015 10:32am

Hi,

I've changed the _config.php files and added few lines so that we can't upload html files

$extensions = array_diff(File::config()->allowed_extensions, array('html', 'htm', 'xhtml', 'xml'));
Config::inst()->remove('File', 'allowed_extensions'); // Prevents config from merging the old array
Config::inst()->update('File', 'allowed_extensions', $extensions);
Config::inst()->update('File', 'apply_restrictions_to_admin', true);

But despite adding these lines I can still upload them into assets.
In the frontend when I add an html file it says "Extension is not allowed (valid: ace, arc, arj, asf, au, avi, bmp, bz2, cab, cda, css, csv, dbf, dmg, doc, docx, dotm, dotx, flv, gif, gpx, gz, hqx, ico, jar, jpeg, jpg, js, kml, m4a, m4v, mid, midi, mkv, mov, mp3, mp4, mpa, mpeg, mpg, ogg, ogv, pages, pcx, pdf, pkg, png, potm, potx, pps, ppt, pptx, prj, ra, ram, rm, rtf, shp, shx, sit, sitx, swf, tar, tgz, tif, tiff, txt, wav, webm, wma, wmv, xls, xlsx, xltm, xltx, zip, zipx)"

Not sure why its still allowing me to upload html files to asset/uploads.

Any help would be appreciated.
Thanks,
Mithun.

Pyromanik

Community Member, 419 Posts

3 July 2015 at 10:55pm

Edited: 03/07/2015 10:57pm

So you made the change, and now silverstripe is not allowing the upload ("Extension is not allowed") as expected.
That seems... pefectly correct.

Perhaps if you tell us how you're uploading these .html files we can help better.

MIT

Community Member, 5 Posts

4 July 2015 at 8:31am

Hi there,

Thanks for your reply.

Its working perfectly fine in the frontend and it seems like its not allowing the user to upload an HTML file but then it uploads the file into the assets folder in the backend.
Isn't it supposed to block the file completely?

Its a userdefined form and I am using the 'File upload field' to upload files.
Thanks :)
I

Pyromanik

Community Member, 419 Posts

5 July 2015 at 9:22pm

I should have thought so, yes.
It shouldn't make any difference, but perhaps try it via YAML instead of _config.php

MIT

Community Member, 5 Posts

6 July 2015 at 10:29am

Hi there,

I know we can add file extensions using
File:
allowed_extensions:
- xlsx

but how do you remove extensions?

Devlin

Community Member, 344 Posts

7 July 2015 at 1:53am

Edited: 07/07/2015 1:56am

Hello,

I tried your code and there is no html file in my upload folder.

but how do you remove extensions?

This is a good point. Personally, I enforce file extensions per UploadField instance and not globally.

Pyromanik

Community Member, 419 Posts

8 July 2015 at 10:41am

http://api.silverstripe.org/3.2/class-Config.html
I don't think you can remove a specific entry. But you can reset them all. You'd have to do it programmatically so you can add the rest back in again (ie, get, reset, filter get results array, update).
But then if you're doing it programmatically there's this: http://api.silverstripe.org/3.2/source-class-Object.html#493-539

MIT

Community Member, 5 Posts

17 July 2015 at 2:22pm

Thanks for all the help.

Turns out it was a bug in silverstripe which is now fixed :)

Return to top