Jump to content
Sign in to follow this  
recyclerobot

wildcard input field valid file extensions

Recommended Posts

Hi guys,

I would like to allow any file extension to be uploaded on a certain field, I'm aware of the security implications but this field would only be used by myself, I've tried "*" wildcard but that does not seem to work

Share this post


Link to post
Share on other sites

You already have the capability to add any extension to the file field. One option I utilize is to add the *.zip extension and then use that to enclose whatever files I want to add.

Share this post


Link to post
Share on other sites

A while back while importing some 10k pages from another system I wrote an import script that would sniff the extension of the file, and if it wasn't yet allowed, it would first add it to allowed extensions and only then add the file. In this particular case I knew that all files were "safe", but there were dozens of different extensions to account for.

To me this idea seems to make sense: as a developer I should have the option of saying that it's safe to insert "anything" in this specific field. A warning would still make sense, considering that not everyone who has access to these options will understand the risks involved.

On a related note, I'm wondering if supporting regex would make sense here? Seems to me like one way to support just about every imaginable requirement in a future-proof way. It might confuse some vs. the old * trick, but then again, simple regex is not that much more difficult; just prefix the star with a dot :)

  • Like 1

Share this post


Link to post
Share on other sites

What if the input is left empty? Wouldn't that enable all extensions?

Share this post


Link to post
Share on other sites

What if the input is left empty? Wouldn't that enable all extensions?

That's not an option; in this case the field becomes unusable. In my opinion this is correct behaviour: not having anything defined here sounds more like a half-configured field or a mistake than something the developer did intentionally and knowingly.

  • Like 1

Share this post


Link to post
Share on other sites

What if the input is left empty? Wouldn't that enable all extensions?

With a normal file or image field it will not let you save an empty "Valid File Extensions".

To me this idea seems to make sense: as a developer I should have the option of saying that it's safe to insert "anything" in this specific field. A warning would still make sense, considering that not everyone who has access to these options will understand the risks involved.

On a related note, I'm wondering if supporting regex would make sense here? Seems to me like one way to support just about every imaginable requirement in a future-proof way. It might confuse some vs. the old * trick, but then again, simple regex is not that much more difficult; just prefix the star with a dot :)

It would seem to be a great idea, however I believe it would open many ProcessWire websites up to being hacked due to the actions of unsavory actors if it is enabled from the start.  It's a vulnerability that would be easily exploited if the developer has not taken prudent actions to sanitize the input (files/images).  The majority of knowledgeable developers would be aware of the danger, but that's not always the case.

Making it a configurable option that you would have to explicitly enable would be a way to make it possibly work.

  • Like 2

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Similar Content

    • By Marvin
      Hello,
      I'm new at process wire and i want to make an web using upload file and showing it at the table as a link to open it at the new tab. I wa succed while upload a file, but how i showing it as a link at the table to open it at the new tab of my browser? Any suggestion may helpfull
      Here i attach my code below :
      This code is for upload it to back-end (process wire)
      <?php $note = $note2 = $hidden =""; if($input->post->submit){ $upload_path = $config->paths->assets.'files/upload/'; if(!is_dir($upload_path)){ if(!wireMkdir($upload_path)) throw new WireException("No upload path"); } $original = $sanitizer->text($input->post->original); $indonesia = $sanitizer->text($input->post->indonesia); $other = $sanitizer->text($input->post->other); $composer = $sanitizer->text($input->post->composer); if(!$original || !$indonesia || !$other || !$composer){ $note = "Data tidak lengkap"; } else { $newFile = new WireUpload("song_files"); $newFile->setMaxFiles(1); $newFile->setOverwrite(false); $newFile->setDestinationPath($upload_path); $newFile->setValidExtensions(array('pdf','docx','doc')); $files = $newFile->execute(); if(!count($files)) { $newFile->error("No files received, so not creating page."); return false; } $newImg = new WireUpload("img_files"); $newImg->setMaxFiles(1); $newImg->setOverwrite(false); $newImg->setDestinationPath($upload_path); $newImg->setValidExtensions(array('jpeg','jpg','png','gif')); $files = $newImg->execute(); if(!count($files)) { $newImg->error("No files received, so not creating page."); return false; } $newPage = new Page(); $newPage->template = "files"; $newPage->parent = $pages->get("/files/"); $newPage->title = $original; $newPage->text_1 = $indonesia; $newPage->text_2 = $other; $newPage->text_3 = $composer; $newPage->of(false); $newPage->save(); foreach($files as $filename) { $filepath = $upload_path . $filename; $newPage->files->add($filepath); $newPage->message("Add file : $filename"); unlink($filepath); } $newPage->save(); } } ?> and this code to showing it as a link at the table
      <table class="border"> <tr> <th>No.</th> <th>Original Song Title</th> <th>Indonesia Song Title</th> <th>Other Song Title</th> <th>Composer</th> <th>File (pdf)</th> </tr> <?php $num = 1; $song; foreach($pages->get("/files/")->children as $child) { //showing every child at files parent directory $page == $child; $song = $pages->get("/files/".$child->id."/")->files; //showing uploaded files at child directory echo $child->id; echo "<tr><td>".$num++.".</td><td>".$child->title."</td><td>".$child->text_1."</td><td>".$child->text_2."</td><td>".$child->text_3."</td><td><a href='".$song->httpUrl."'</a>".$song->name."</td></tr>"; } ?> </table> Thank you for any suggestion
    • By theoretic
      Hi there! And thanks for Processwire!
      It appears there's a possible bug in Processwire 3.0.170 concerning file and/or image inputfield. Creating such a field results in the following error:

      Fatal Error: Uncaught Error: Call to a member function get() on null
      The inputfield is created however. The closer look reveals a problem at line 60 in wire\modules\Fieldtype\FieldtypeFile\config.php:
      if(!$value) $value = $fieldtype->get('defaultFileExtensions'); Commenting this line removes the problem, but the newly created inputfield requires 'Allowed file extensions' config option to be set (which is rather expectable since i commented the above-cited line of code). Never faced this problem before, hope it can be resolved.
    • By xportde
      How does one enable executables to be uploaded to the File field? Just adding the file extension to the accepted extensions does not seem to work.

      screenshot attached (ignore the label 'video')

    • By GradDev
      I have a file field named "resume". I want to delete the file saved in it using the API.
      The field is limited to only 1 upload of file and the return type is set to "Automatic" which means it will return a single object if a file is available.
      Now there are two options that I have tried- delete() and deleteAll().
      $page_to_change = $pages->get("name=xyz"); $page_to_change->resume->deleteAll(); //OR //$page_to_change->resume->delete($page_to_change->resume); $page_to_change->of(false); $page_to_change->save(); Both of these give an error like-
      Error: Exception: Method Pagefile::deleteAll does not exist or is not callable in this context(...) I understand that this error is because these two functions work on a wirearray rather than on a file object.
      But how do I delete a single file?
    • By AndZyk
      Hello,
      I am currently building a intranet which will be hosted on the local network of a company. This intranet has many links to files on their fileserver with the protocol file://.
      So for example the links look like this file://domain.tld/filename.ext
      When I try to insert such a link into a URL field, I get the error, that only the protocol http:// is allowed. When I try to insert such a link into a CKEeditor link, it gets stripped out. Is it possible to insert such links into the FieldType URL and CKEditor.
      I know that I could use a FieldType Text or insert a RewriteRule in the .htaccess file, but I am looking for a more elegant solution. 😉
      Regards, Andreas
×
×
  • Create New...