ACF Compatibility for this.blockedExtForFileUpload in Application.cfc

Description

CF2018 Update 3, CF2016 Update 10 and CF11 Update 18 all support a new Application.cfc setting `this.blockedExtForFileUpload` which allows for a comma separated list of file extensions to block from upload in cffile, fileUpload, fileUploadAll. The setting also accepts a `*` which disables all uploads (quite a nice feature), and an empty string will give the legacy behavior of allowing everything.

I see that Lucee has added a similar system property or environment variable `lucee.upload.blacklist` here https://github.com/lucee/Lucee/commit/9dfdf2e2306e8551760e8b9389c775198890de26

It is essential to have this setting at a code level, because then the developer can define what is allowed, and doesn't have to rely on how the application is deployed.

Adobe's Documentation: https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html#blockedext

Status

Assignee

Igal Sapir

Reporter

Pete Freitag

Labels

None

Fix versions

Priority

Critical