Jump to content

wildcard input field valid file extensions


recyclerobot
 Share

Recommended Posts

A while back while importing some 10k pages from another system I wrote an import script that would sniff the extension of the file, and if it wasn't yet allowed, it would first add it to allowed extensions and only then add the file. In this particular case I knew that all files were "safe", but there were dozens of different extensions to account for.

To me this idea seems to make sense: as a developer I should have the option of saying that it's safe to insert "anything" in this specific field. A warning would still make sense, considering that not everyone who has access to these options will understand the risks involved.

On a related note, I'm wondering if supporting regex would make sense here? Seems to me like one way to support just about every imaginable requirement in a future-proof way. It might confuse some vs. the old * trick, but then again, simple regex is not that much more difficult; just prefix the star with a dot :)

  • Like 1
Link to comment
Share on other sites

What if the input is left empty? Wouldn't that enable all extensions?

That's not an option; in this case the field becomes unusable. In my opinion this is correct behaviour: not having anything defined here sounds more like a half-configured field or a mistake than something the developer did intentionally and knowingly.

  • Like 1
Link to comment
Share on other sites

What if the input is left empty? Wouldn't that enable all extensions?

With a normal file or image field it will not let you save an empty "Valid File Extensions".

To me this idea seems to make sense: as a developer I should have the option of saying that it's safe to insert "anything" in this specific field. A warning would still make sense, considering that not everyone who has access to these options will understand the risks involved.

On a related note, I'm wondering if supporting regex would make sense here? Seems to me like one way to support just about every imaginable requirement in a future-proof way. It might confuse some vs. the old * trick, but then again, simple regex is not that much more difficult; just prefix the star with a dot :)

It would seem to be a great idea, however I believe it would open many ProcessWire websites up to being hacked due to the actions of unsavory actors if it is enabled from the start.  It's a vulnerability that would be easily exploited if the developer has not taken prudent actions to sanitize the input (files/images).  The majority of knowledgeable developers would be aware of the danger, but that's not always the case.

Making it a configurable option that you would have to explicitly enable would be a way to make it possibly work.

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...