File uploads doesn't support allowedExtensions or strict="false"


ACF allows the default upload blocklist this.blockedExtForFileUpload (see ) to be overridden per with an allowedExtensions option for

  • cffile action="upload|uploadAll"

  • FileUpload

  • FileUploadAll

There is also a strict option which allows bypassing the blocklist




Michael Offner
November 16, 2020, 9:00 PM

Adding the attribute “allowedExtension“ is a problem within a minor release because we have to change the order of attributes. ATM the order are like this:

FileUpload(destination, fileField, accept, nameConflict, strict, allowedExtensions)

FileUpload( destination, fileField, accept, nameConflict, mode, attributes, acl );

we need to add the attribute in Lucee after nameconflict what will cause issues for people using the attribute “mode” and “acl“ with unnamed arguments.

We can extend the argument mode in case it fails it could check if we have extension defined, but only as a undocumented feature.

I will add the attribute to the file tag, but for the function FileUpload we wait for the next major release.

Michael Offner
November 17, 2020, 12:43 AM

I’m adding the attribue “allowedExtensions“ AND “blockedExtensions“ to the tag cffile.

Michael Offner
November 17, 2020, 2:30 AM

added the function arguments to

Michael Offner
November 17, 2020, 2:32 AM

please test in Lucee 5.3 the tag cffile with the attribute “allowedExtension“ and “blockedExtension“ then in Lucee 6 test also the functions [fileUpload, fileUploadAll] with this arguments.

Pothys - MitrahSoft
November 18, 2020, 7:13 PM

I've checked cffile tag with lucee fixed version

  • Attribute allowedExtensions and blockedExtensions are works fine.

  • allowedExtensions is override the blockedExtensions and this.blockedExtForFileUpload. So, it works as expected.

  • If this.blockedExtForFileUpload = "html" and accept attribute with mimeType(text/html) is allowed the file to upload successfully.

  • Seems, the same scanerio throws an error in ACF. Because this.blockedExtForFileUpload doesn't works in this version.

  • And I've checked fileUpload & fileUploadAll functions with lucee version

  • The argument allowedExtensions works fine.

  • But blockedExtensions and this.blockedExtForFileUpload doesn't work as expected.

  • It doesn't block the fileupload for the declared extension.



Pothys - MitrahSoft


Zac Spitzer



Fix versions


5.3.8 Sprint 3

Affects versions