Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Fernando Camillo 41 posts 82 karma points
    Oct 05, 2010 @ 22:17
    Fernando Camillo
    0

    File upload restriction

    Hi.

    I tried adding a validation regex for the media type "Image" to allow only .gif, .jpeg and .jpg extensions. The umbraco displays the error message, but the file is still being saved on disk. I think it's a bug, because a malicious user could upload an .asp script to the server and do some mess with the content.

    Is there a solution for this? A solution with no programming tasks?

    Thanks again!

    Umbraco 4.5.2 for .NET 3.5, Windows XP, IIS 5.1

  • Dirk De Grave 4539 posts 6013 karma points MVP 3x admin c-trib
    Oct 05, 2010 @ 22:43
    Dirk De Grave
    0

    Hmm, yes, the file can still be uploaded by the user, but what exactly is a malicious user? Someone who left the company and still has access to the system? Or someone who's hacked the system because of easy to guess passwords? Both scenario's are possible but this is not any different from any other system...

    But to answer your question, you can't prevent the upload without some programming. But it would take just a single hour to wire up an event handler and either prevent the file from being uploaded/saved to disk or delete the malicious file.

    If you really want this feature included in the core, suggest a work item on Codeplex and vote for it. If enough people vote for it, it may even make to the core.

    Hope this helps.

    Regards,

    D/irk

  • Fernando Camillo 41 posts 82 karma points
    Oct 06, 2010 @ 14:05
    Fernando Camillo
    0

    Hi Dirk.

    Thanks for the reply. I've already suffered from the second scenario you said: someone hacked the system because of easy to guess password. Then this hacker uploaded an asp script through the backend "images upload" to delete all possible files (in the folders with write permission). What a mess! I still don't know how I'm not fired on that day...

    Can you show me only a start point to do this with programing? Because for now, I'm thinking about disable .asp files execution in the site (through IIS).

    Thank you again, and sorry about my poor english.

    Fernando

  • Connie DeCinko 931 posts 1159 karma points
    Feb 08, 2011 @ 20:15
    Connie DeCinko
    0

    What is/was the solution?  Can you please share?

     

  • Fernando Camillo 41 posts 82 karma points
    Feb 13, 2011 @ 19:31
    Fernando Camillo
    0

    Hi Connie.

    I developed a custom upload control (umbraco usercontrol wrapper .ascx) to upload images in the Media section. After that, I found another problem, but solved after some searching, as you can see in this other post.

    Fernando

     

  • Connie DeCinko 931 posts 1159 karma points
    Feb 14, 2011 @ 17:15
    Connie DeCinko
    0

    Is your custom control something you can or would share?  Or can you direct me to directions on how to create my own wrapper?  I haven't learned how to create this for Umbraco just yet.

     

  • Fernando Camillo 41 posts 82 karma points
    Mar 29, 2011 @ 13:39
    Fernando Camillo
    0

    Hi Connie.

    Sorry for the long time, I was in vacation.

    I'm preparing the control source to send for you. The language is VB.NET (the company programming language), ok?

    Please tell me where to send the files.

    Fernando

  • Connie DeCinko 931 posts 1159 karma points
    Mar 29, 2011 @ 16:50
    Connie DeCinko
    0

    We're actually C# here, but perhaps we can convert your VB code.  Send to [email protected].

    Thanks.

     

  • Fernando Camillo 41 posts 82 karma points
    Apr 01, 2011 @ 18:11
    Fernando Camillo
    0

    Hi Connie.

    I sent the files, but with this control I'm havin problems with TinyMCE, so I decided to rollback to Umbraco default upload control.

    For now I decided to download the source code of 4.5.2 stable and try to make some changes:
    http://umbraco.codeplex.com/SourceControl/changeset/changes/ffc34b23e1a0

    I hope it helps.

    Fernando

  • Fernando Camillo 41 posts 82 karma points
    May 12, 2011 @ 15:52
    Fernando Camillo
    0

    Only for information about this topic... now solved by this way:

    I created a key within appSettings at web.config:

    <add key="MediaAllowedExtensions" value=".jpg,.jpeg,.gif,.png,.doc,.xls,.pdf,.zip,.wmv,.avi,.swf,.flv" />

    After, modified the source code file "components/editorControls/uploadfield/uploadField.cs", within "public void Save()":

    ...
    if (this.PostedFile != null)
    {
    if (this.PostedFile.FileName != "")
    {
    /* Added: begin */
    // Doesn't allow file without extension:
    if (this.PostedFile.FileName.IndexOf(".") == -1) return;
    // Get allowed extensions in web.config:
    string sAllowed = System.Configuration.ConfigurationSettings.AppSettings["MediaAllowedExtensions"];
    // Get uploaded file extension (with point):
    string sExtension = this.PostedFile.FileName.Substring(this.PostedFile.FileName.LastIndexOf("."));
    // Check if extension is allowed:
    if (sAllowed.IndexOf(sExtension) == -1) return;
    /* Added: end */
    ...

    After, rebuilt the project editorControls and changed dll (umbraco.editorControls.dll).

    Hope it helps someone.

    Fernando
    Umbraco 4.5.2 for .net 3.5
    Windows Server 2003 64 bits, IIS 6

Please Sign in or register to post replies

Write your reply to:

Draft