Developer forum

Forum » CMS - Standard features » Forms for editors > File field > Restricted file types

Forms for editors > File field > Restricted file types

E-mail notifications
Jesper Holm Damgaard
Reply
Posted on 23/01/2019 15:09:28

Hi guys!

In the docs:
https://doc.dynamicweb.com/documentation-9/content/apps/forms-for-editors#sideNavTitle1-1-1

It says:
"Some file extensions are not allowed, e.g. .cshtml, .aspx and similar, and filenames are automatically cleaned of illegal characters."

Where can i find the complete list of restricted file types and how can i modify it?

--
All the best, Jesper

 


Replies

 
Nicolai Pedersen
Posted on 23/01/2019 15:19:48
Reply
This post has been marked as an answer

Hi Jesper

Below the types not allowed and the normalization method of filenames - the latter depends on settings. This behavior cannot be changed.

if (file.FileName.EndsWith(".cshtml", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".cshtm", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".vbhtml", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".vbhtm", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".aspx", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".ashx", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".asmx", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".soap", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".axd", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".rem", StringComparison.OrdinalIgnoreCase) ||
                                file.FileName.EndsWith(".asp", StringComparison.OrdinalIgnoreCase))
                        {
                            throw new Exception("Extension not allowed");
                        }

This is how we normalize the filename:

 private static string NormalizeFileName(string fileName)
        {
            fileName = fileName.Replace(",", "_");
            fileName = fileName.Replace(";", "_");
            fileName = fileName.Replace("+", "_");
            fileName = fileName.Replace("'", "_");
            fileName = fileName.Replace("#", "_");

            if (SystemConfiguration.Instance.GetBoolean("/Globalsettings/Modules/Filemanager/Upload/ReplaceSpace"))
            {
                fileName = fileName.Replace(" ", "-");
            }
            if (SystemConfiguration.Instance.GetBoolean("/Globalsettings/Modules/Filemanager/Upload/LatinNormalize"))
            {
                fileName = LatinNormalization.LatinToAscii(fileName);
                string extension = Path.GetExtension(fileName);
                fileName = string.Format("{0}{1}", Regex.Replace(Path.GetFileNameWithoutExtension(fileName), "[^a-z0-9_\\- ]", string.Empty, RegexOptions.IgnoreCase), extension);
            }
        }

The reasoning is of course possible security breach that could also be handled via configuration, but usually it is not, and we need to remove characters in the name as they prevent accessing the file in a browser etc.

BR Nicolai

Votes for this answer: 1
 
Jesper Holm Damgaard
Posted on 23/01/2019 16:26:41
Reply

Hi N. Thanks for the quick answer! All the best, Jesper

 

You must be logged in to post in the forum