Prohibit certain files for uploading

mio · 5 September 2022 18:26

hi,

I would like to add a list of files that we could not import in relation to the /upload file.
For example forbid the upload of .exe .js …

How can I do this?
thanks

pgr · 5 September 2022 21:16

Try adding it to this part of config.php:

'upload_badext' => 
  array (
    0 => 'php',
    1 => 'php3',
    2 => 'php4',
    3 => 'php5',
    4 => 'pl',
    5 => 'cgi',
    6 => 'py',
    7 => 'asp',
    8 => 'cfm',
    9 => 'js',
    10 => 'vbs',
    11 => 'html',
    12 => 'htm',
    13 => 'phtml',
  ),

Or put that array into config_override.php (same effect^)

mio · 7 September 2022 00:38

I will try
thank you

mio · 12 September 2022 20:17

hi @pgr ,

I tried the code in config.php and config_override.php but it doesn’t work.
I can still upload the files with its extensions.
The problem is that when I upload for example a .php file, the tool will add the .txt extension. ( file.php.txt)

would there be another file to modify ?
Thanks

pgr · 13 September 2022 08:28

I think that is done here

github.com

salesagility/SuiteCRM/blob/master/include/UploadMultipleFiles.php#L437-L443

      
        
            foreach ($sugar_config['upload_badext'] as $badExt) {
                if (strtolower($this->file_ext) == strtolower($badExt)) {
                    $stored_file_name .= ".txt";
                    $this->file_ext = "txt";
                    break; // no need to look for more
                }
            }

which unfortunately is not easy to modify in an upgrade-safe way.