Restrict mime types for dmFile

mpicker · November 1, 2018, 11:00pm

Hi,

Is there an easy way to restrict (project wide rather than type by type) the allowed file types for anything that makes use of dmFile? As it stands there is nothing stopping exe and com etc. files from being uploaded.

Maybe this might be a useful configurable item to add to core?

Regards
Mark

justincarter · November 1, 2018, 11:08pm

The file formtool supports the ftAllowedFileExtensions attribute which allows you to set the allowed file extensions for that upload field;

<cfproperty name="ftAllowedFileExtensions" 
  default="pdf,doc,ppt,xls,docx,pptx,xlsx,jpg,jpeg,png,gif,zip,rar,flv,swf,mpg,mpe,mpeg,m1s,mpa,mp2,m2a,mp2v,m2v,m2s,mov,qt,asf,asx,wmv,wma,wmx,rm,ra,ram,rmvb,mp3,mp4,3gp,ogm,mkv,avi"
  hint="Used when ftRenderType is set to HTML, extentions allowed to be uploaded." />

So .exe and .com extensions are not allowed but they could possibly be placed inside a zip or other file format that allows embedding.

If you need to restrict the extensions for dmFile for example, then you can extend dmFile in your project and override the filename property to specify the extensions you accept;

<cfcomponent extends="farcry.core.packages.types.dmFile">

	<cfproperty name="filename" type="string" required="no" default="" 
		ftSeq="3" ftFieldset="File Details" ftLabel="File" 
		ftType="file" ftDestination="/dmfile" 
		ftAllowedFileExtensions="doc,docx,xls,xlsx,pdf"
		ftSecure="false" ftBulkUploadTarget="true"
		hint="The name of the file to be uploaded">

</cfcomponent>

mpicker · November 2, 2018, 1:29am

DOH - sorry you are correct. I didn’t pick up in the Pen Test report that they had uploaded a .com file by putting it in a zip file. <sarcasm>FarCry shouldn’t allow this because all the other CMS products out there unpack a ZIP file to make sure its contents are in the allowed file types list…</sarcasm>

justincarter · November 2, 2018, 1:56am

We could definitely look at adding allowed extensions inside an uploaded zip, but then you have other file types like RAR or even Word docs that technically allow file embedding.

Or on a case by case basis, when a zip is uploaded (perhaps on AfterSave) you could read the list of files in the zip and do some kind of processing/notification to the user.

Depending on local virus scanning capabilities the files might have already been moved to a quarantine area too. This might also catch files where the extensions don’t match the contents and contain some type of virus/malware signature.

mpicker · November 2, 2018, 3:46am

LOL I didn’t notice that Discourse removed my “sarcasm” HTML tags from around the statement about FarCry not checking contents of a zip file - I was having a shot at the pen testers not at FarCry.

justincarter · November 2, 2018, 4:00am

Haha ahhh, that explains it

They were close I guess, reading the filename list probably isn’t too expensive when you’ve got locally attached storage But yes in reality you probably also need to rely on additional layers of access control, approval processes, and/or virus scanning to make it less likely that something could slip through.