Allowed vs Restricted File Extensions :: Zikula Community

Allowed vs Restricted File Extensions [8]

csteelatgburg [15]

Rank: Helper

Registered: 17.10.02

last visit: 23.01.07

Posts: 192
[16] Posted: 04.07.2005, 16:01

I'm working on a module which will allow end users to upload files and I realized there is a security risk. For instance, a user could upload a malicious PHP script to perform nasty stuff on the server. My solution to this is to allow the administrator to enter a list of file extensions to allow, or enter a list of file extensions to block.

I'd like to know what the other module developers think is the best way to go, and get a feel for what users would prefer.

Thanks!
[17]

[18]
jediping [20]

Rank: Helper

Registered: 15.11.04

last visit: 12.03.07

Posts: 387
[21] Posted: 04.07.2005, 16:08

I'm for allowed extensions. It's much easier to say ".doc, .jpg, and .tiff" than "everything but .exe and .zip and .gzip etc etc etc," because there are a lot of extensions that would put the site at a security risk, and it's hard to keep track of all of them. Best I think to just disallow everything but a handful of special extensions.
[22]

[23]
cannibus [25]

Rank: Helper

Registered: 30.11.04

last visit: 20.09.08

Posts: 401
[26] Posted: 04.07.2005, 19:27

i would go for a list of allowed extensions,
[27]

[28]

Moderated by :

Support [30]

This list is based on the users active over the last 60 minutes.