SS-2014-012: File Upload Restrictions
- Moderate (?)
- Versions Affected:
- 2.4, 3.0, 3.1
- Versions Fixed:
- 3.2, master
- Release Date:
Certain file types have been removed from the default allowed extensions, as these have been deemed at risk of exploitation. As of 3.2, these may not be allowed to be uploaded via `UploadField` or `Upload` form fields by default, unless explicitly allowed. This risk has been identified not only on the front end, but also within the CMS.
SWF (adobe flash) has also been removed as a default uploadable format. Details of the risk this format poses, and workarounds to mitigate these risks in your production environment, can be found in the Security Documentation.