Skip to:

  1. Skip to Jira Navigation
  2. Skip to Side Navigation
  3. Skip to Main Content

ACF Compatibility for wildcard in this.blockedExtForFileUpload

Description

The implementation of this.blockedExtForFileUpload in lucee does not implement the * wildcard, which should prevent ALL file uploads within the Application (or server if set globally). ACF supports setting the value to *, Lucee only accepts a list of file extensions.

This wildcard setting is extremely useful for applications or servers that do not need to accept uploads.

Ideally Lucee will check this setting before creating the temporary file with the uploaded file contents, and simply throw an exception at that point.

Activity

Show:

Zac Spitzer 6 February 2025 at 19:43
Edited

I’ve added initial support for blocking processing files (i.e. they don’t get written to disk) via the env var / sys prop lucee.upload.blocklist, as the application context isn’t available at that stage (yet??)

when a file upload is blocked during request init

  • the file isn’t written out to disk

  • the resource is set to null, which the file upload logic now detects

  • the form field value is set to File upload was blocked

otherwise the application configuration kicks in when you attempt to process a file upload as before

Zac Spitzer 6 February 2025 at 17:28

https://github.com/lucee/Lucee/pull/2509

Implements the block, for files with and without extensions

Manual testcase which can be run in the browser, as internalRequest doesn’t support file uploads

Zac Spitzer 24 August 2020 at 08:59

I have filed a PR to improve the error message for this, previously the exception only mentioned setting system properties or environment messages

https://github.com/lucee/Lucee/pull/1007

Details

Assignee

Reporter

Labels

New Issue warning screen

Before you create a new Issue, please post to the mailing list first https://dev.lucee.org

Once the issue has been verified, one of the Lucee team will ask you to file an issue

Sprint

Priority

Created 9 September 2019 at 16:40
Updated 5 days ago

Flag notifications