Hackable
Closed this issue · 1 comments
iqmeckert commented
I was successfully able to submit a raw file POST request and upload a php file to the assets folder using an HTTP client. Thankfully SilverStripe won't allow that directory to run executable scripts. Class FileAttachmentField does not set allowed extensions on the Upload_Validator so the validator has an empty array of extensions, and therefore does not validate the file extension. You must call $this->setAllowedExtensions() in your FileAddachmentField::setAcceptedFiles() method to validate extensions from a forced POST that is not JavaScript validated.
silbinarywolf commented
FYI to others, without allowed extensions, it falls back the below as the validate message:
Extension is not allowed (valid: json, ace, arc, arj, asf, au, avi, bmp, bz2, cab, cda, css, csv, dmg, doc,
docx, dotx, dotm, flv, gif, gpx, gz, hqx, ico, jar, jpeg, jpg, js, kml,
m4a, m4v, mid, midi, mkv, mov, mp3, mp4, mpa, mpeg, mpg, ogg, ogv, pages,
pcx, pdf, pkg, png, pps, ppt, pptx, potx, potm, ra, ram, rm, rtf, sit,
sitx, tar, tgz, tif, tiff, txt, wav, webm, wma, wmv, xls, xlsx, xltx, xltm,
zip, zipx)