File uploads doesn't support allowedExtensions or strict="false"

Description

ACF allows the default upload blocklist this.blockedExtForFileUpload (see ) to be overridden per with an allowedExtensions option for

  • cffile action="upload|uploadAll"

  • FileUpload

  • FileUploadAll

There is also a strict option which allows bypassing the blocklist
https://docs.lucee.org/reference/functions/fileuploadall.html#argument-strict
https://helpx.adobe.com/coldfusion/cfml-reference/coldfusion-functions/functions-e-g/fileuploadall.html

https://helpx.adobe.com/coldfusion/cfml-reference/application-cfc-reference/application-variables.html#blockedext

Environment

None

Activity

Show:
Michael Offner
November 16, 2020, 9:00 PM

Adding the attribute “allowedExtension“ is a problem within a minor release because we have to change the order of attributes. ATM the order are like this:

ACF
FileUpload(destination, fileField, accept, nameConflict, strict, allowedExtensions)

Lucee
FileUpload( destination, fileField, accept, nameConflict, mode, attributes, acl );

we need to add the attribute in Lucee after nameconflict what will cause issues for people using the attribute “mode” and “acl“ with unnamed arguments.

We can extend the argument mode in case it fails it could check if we have extension defined, but only as a undocumented feature.

I will add the attribute to the file tag, but for the function FileUpload we wait for the next major release.

Michael Offner
November 17, 2020, 12:43 AM

I’m adding the attribue “allowedExtensions“ AND “blockedExtensions“ to the tag cffile.

Michael Offner
November 17, 2020, 2:30 AM

added the function arguments to 6.0.0.12

Michael Offner
November 17, 2020, 2:32 AM

please test in Lucee 5.3 the tag cffile with the attribute “allowedExtension“ and “blockedExtension“ then in Lucee 6 test also the functions [fileUpload, fileUploadAll] with this arguments.

Pothys - MitrahSoft
November 18, 2020, 7:13 PM

,
I've checked cffile tag with lucee fixed version 5.3.8.107-SNAPSHOT.

5.3.8.107-SNAPSHOT

  • Attribute allowedExtensions and blockedExtensions are works fine.

  • allowedExtensions is override the blockedExtensions and this.blockedExtForFileUpload. So, it works as expected.

  • If this.blockedExtForFileUpload = "html" and accept attribute with mimeType(text/html) is allowed the file to upload successfully.

  • Seems, the same scanerio throws an error in ACF. Because this.blockedExtForFileUpload doesn't works in this version.

6.0.0.12-SNAPSHOT

  • And I've checked fileUpload & fileUploadAll functions with lucee version 6.0.0.12-SNAPSHOT.

  • The argument allowedExtensions works fine.

  • But blockedExtensions and this.blockedExtForFileUpload doesn't work as expected.

  • It doesn't block the fileupload for the declared extension.

Fixed

Assignee

Pothys - MitrahSoft

Reporter

Zac Spitzer

Priority

New

Fix versions

Sprint

5.3.8 Sprint 3

Affects versions