Indefero

Issue 761: Unable to upload files without an extension

Previous issue - Next issue

Reported by Simon Gareste, Nov 18, 2011

Currently, the only way to add extensions available is to go in the 
install folder, in Form/Upload.php and add the extension to the 
clean_file function. 
I think this should be made much more configurable, except is there 
was a reason behind this behavior, in which case I would like to 
know why.

Comment 1 by Thomas Keller, Nov 18, 2011

I think this is not quite the issue. You can, in fact, add more 
extensions via the configuration variable 'idf_extra_upload_ext' 
which is used everywhere, but your original issue was that you 
cannot upload files without an extension.

My problem with this kind of "pseudo-security" is 
basically that such a list is never complete nor does it make the 
user's life any more save. And in case the forge owner wanted to 
restrict the allowed upload types to a couple file extensions he'd 
have to hack the various upload forms by hand anyways, because many 
extensions are always added unconditionally to the list of allowed 
extensions right now.

So the real question is: What are upload extension restrictions 
really good for? Shouldn't the browser take care of the security and 
shouldn't we only take care of mime-types (at most) to send the 
correct Content-type: header in case of a download?
Summary: Unable to upload files without an extension

Comment 2 by Jean-Philippe Fleury, Nov 22, 2011

This may be a duplicate of issue 537.

Comment 3 by Thomas Keller, Nov 22, 2011

Its actually related, yes. Thanks for the pointer.
Relations: is related to 537

Created: 1 year 6 months ago by Simon Gareste

Updated: 1 year 6 months ago

Status: New

Followed by: 2 persons

Labels:
Type:Defect
Priority:Medium

This issue is related to
537 - Man...ted/allowed upload types