Vulnerability in EPiServer.Forms

Try our conversational search powered by Generative AI!

AI OnAI Off

Limit allowed filetypes in the upload dir

Tore Gjerdrum
Tore Gjerdrum
Vote:
 

I am trying to limt the allowed filetypes in the upload dir in EPiServer CMS 5. This can be done with the FileEvents. But is there a nice way to display an errormessage back to the user? Now I set the e.Cancel to true and set the e.reason to an errortext in my languagefile. But this only returns an exception message. Is there another way to display a friendly errormessage to the user?

BR,

Tore

private static readonly string allowedUploadExtenstions = ConfigurationManager.AppSettings["AllowedUploadFormates"];
 
private void UnifiedFile_UnifiedFileCheckingIn(UnifiedFile sender, UnifiedVirtualPathEventArgs e)
{
  if(!IsValidUploadFile(sender.Extension)) 
  {  
    // Return errormessage  
    e.Cancel = true;  
    e.Reason = string.Format(LanguageManager.Instance.Translate("/fileupload/error"), allowedUploadExtenstions);  
    return;
 }
} 
 
private bool IsValidUploadFile(string extension)
{
  if (!string.IsNullOrEmpty(allowedUploadExtenstions))
  {
    string[] allowedFormats = allowedUploadExtenstions.Split(new char[] { ',' });
    string check = extension.Replace(".", "").ToLower();
    if (allowedFormats.Length > 0)
    {
      foreach (string s in allowedFormats)
      {
        if (s == check)
        return true;
      }
    }
 }
 return false;
#21028
Jun 19, 2008 10:12
Per Gunsarfs
Per Gunsarfs
Vote:
 

Hi Tore

I'm afraid I don't have a good answer for you right now. However, they way I see it you shouldn't be needed to do anything more then what you do to make it work. The file manager should display the reason in a nice way. I've added that as a bug that we hopefully can fix for a future version:

Bug #11287: File Manager doesn't handle cancelling of file upload

One other thing though. Not sure that you are using the correct event. If you cancel in UnifiedFileCheckingIn I think the file will still be uploaded, it will just not be check in. I suspect UnifiedDirectory.OnFileAdding might be better, although I haven't actually tested it out.

#21194
Jun 19, 2008 16:56
pappabj0rn
pappabj0rn
Vote:
 

You could use a popup with something like:

 HttpContext.Current.Response.Write("alert('File type not allowed.');");

 

#21195
Jun 19, 2008 17:00
Tore Gjerdrum
Tore Gjerdrum
Vote:
 

Hei Per and Greger.

I will try the HttpContext.Current.Response.Write("alert('File type not allowed.');"); until the bug has been fixed.

The reason why I use UnifiedFileCheckingIn is that the extesion of the file when using OnFileAdding is .TMP. Is there a way to get the right extension of the file using OnFileAdding?

If not, I will have to use the UnifiedFileCheckingIn or the UnifiedFileCheckedIn event to check the extesion, and then delete the file if the extension is not allowed?! Do you have a better sugestion?

BR,

Tore

#21207
Jun 20, 2008 16:41
Tore Gjerdrum
Tore Gjerdrum
Vote:
 

Hi.

I can use the OnFileAdding. I tried with an .GIF file, and this extension is .TMP when the file is uploaded. Is there a reason for that? Is there any other files that have .TMP on the upload event?

BR,

Tore

#21215
Jun 23, 2008 11:14
pappabj0rn
pappabj0rn
Vote:
 
You could parse the extension from the NewVirtualPath property of the UnifiedVirtualpathEventArgs.
#21216
Jun 23, 2008 11:17
Tore Gjerdrum
Tore Gjerdrum
Vote:
 

Hi Greger.

For some reason, a GIF file had an .TMP extesion. But now every file type works fine and I am using the UnifiedDirectory.OnFileAdding event.

Thanks for your help!

BR,

Tore

#21258
Jun 24, 2008 12:00
This thread is locked and should be used for reference only. Please use the Episerver CMS 7 and earlier versions forum to open new discussions.
* You are NOT allowed to include any hyperlinks in the post because your account hasn't associated to your company. User profile should be updated.