Fixed
Details
Assignee
Igal SapirIgal SapirReporter
Pete FreitagPete FreitagNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Priority
Critical
Details
Details
Assignee
Igal Sapir
Igal SapirReporter
Pete Freitag
Pete FreitagNew Issue warning screen
Before you create a new Issue, please post to the mailing list first https://dev.lucee.org
Once the issue has been verified, one of the Lucee team will ask you to file an issue
Priority
CriticalCreated 7 March 2019 at 14:39
Updated 17 October 2022 at 07:46
Resolved 18 April 2019 at 23:02
CF2018 Update 3, CF2016 Update 10 and CF11 Update 18 all support a new Application.cfc setting `this.blockedExtForFileUpload` which allows for a comma separated list of file extensions to block from upload in cffile, fileUpload, fileUploadAll. The setting also accepts a `*` which disables all uploads (quite a nice feature), and an empty string will give the legacy behavior of allowing everything.
I see that Lucee has added a similar system property or environment variable `lucee.upload.blacklist` here https://github.com/lucee/Lucee/commit/9dfdf2e2306e8551760e8b9389c775198890de26
It is essential to have this setting at a code level, because then the developer can define what is allowed, and doesn't have to rely on how the application is deployed.
Adobe's Documentation: https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html#blockedext