I'm working on a module which will allow end users to upload files and I realized there is a security risk. For instance, a user could upload a malicious PHP script to perform nasty stuff on the server. My solution to this is to allow the administrator to enter a list of file extensions to allow, or enter a list of file extensions to block.
I'd like to know what the other module developers think is the best way to go, and get a feel for what users would prefer.
Thanks!
Allowed vs Restricted File Extensions
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 186
Posted: Jul 04, 2005 - 04:01 AM
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 379
Posted: Jul 04, 2005 - 04:08 AM
I'm for allowed extensions. It's much easier to say ".doc, .jpg, and .tiff" than "everything but .exe and .zip and .gzip etc etc etc," because there are a lot of extensions that would put the site at a security risk, and it's hard to keep track of all of them. Best I think to just disallow everything but a handful of special extensions.
**unknown user**
- Rank: Softmore
- Registered: Mar 16, 2002
- Last visit: Oct 21, 2009
- Posts: 395
Posted: Jul 04, 2005 - 07:27 AM
i would go for a list of allowed extensions,