U4-9558 - Media uploads currently use a blacklist - should add a whitelist as well for security

Created by Sebastiaan Janssen 22 Feb 2017, 10:06:24 Updated by Renante Abril 29 May 2017, 15:27:46

Tags: PR

Subtask of: U4-9609

Currently we don't allow "dangerous" files to be uploaded to the media section of Umbraco, these are files that could execute (for example) javascript which could lead to XSS attacks (the <disallowedUploadFiles/> section in umbracoSettings.config).

It is difficult for us to decide on a whitelist of file types that people ARE allowed to upload but we could at least give people the option to lock down the security for their own purposes (for example: some companies would only allow files to be uploaded of type txt, nothing else). So first the blacklist will be checked, anything on the blacklist will be blocked. Then, if the file isn't blocked already we can check the whitelist. If it's not empty then we check if the file is allowed.

So: blacklist first, anything on there will be rejected. If not already rejected then the whitelist kicks in and anything not on that will be rejected as well.


Matthew 01 Mar 2017, 14:36:59

I don't understand, why keep the blacklist? Backwards compatibility? It seems like you could just use it as a fallback in case the whitelist is not being used.

Andy Butland 09 May 2017, 21:48:29

PR for this here: https://github.com/umbraco/Umbraco-CMS/pull/1939

Shannon Deminick 10 May 2017, 04:06:21

Once pulled in/reviewed/tested, this Docs PR needs to be pulled in https://github.com/umbraco/UmbracoDocs/pull/454/files

Sebastiaan Janssen 20 May 2017, 10:20:14

Tested, merged, docs merged, updated docs to note the config element is new in 7.6.2!

Priority: Normal

Type: Bug

State: Fixed


Difficulty: Normal

Category: Security

Backwards Compatible: True

Fix Submitted: Pull request

Affected versions:

Due in version: 7.6.2

Sprint: Sprint 59

Story Points:

Cycle: 1