-
Notifications
You must be signed in to change notification settings - Fork 35
config assetfileextensions
A configuration directive for specifying an explicit whitelist of file extensions allowed for uploaded files. Because an explicit whitelist implicitly means everything else is disallowed, it is more restrictive than its blacklist counterpart, DeniedAssetFileExtensions, which implicitly allows everything that is not specified.
Because their effects are diametrically opposed, it really only makes sense to
use one or the other in your configs, based on your general policy. However,
if you do make use of both know that DeniedAssetFileExtensions is evaluated
first and takes precedence in case of conflicting values.
Both directives are of the ARRAY type meaning that each they only take one
value but can be specified multiple times in the config.cgi to build up a
list. For example:
AssetFileExtensions gif
AssetFileExtensions jpg
AssetFileExtensions jpeg
AssetFileExtensions png
The above specifies that only three file types are allowed, all of them image formats.
Although you are welcome to specify each and ever variation of each filetype, you can alternately take advantage of the fact that the values are evaluated as case-insensitive, double-anchored Perl regular expressions allowing, for example, the following:
AssetFileExtensions gif
AssetFileExtensions jpe?g
AssetFileExtensions png
The "double-anchored" part simply means that your pattern must match the
entire file extension, ensuring that a plain t doesn't match txt, sh
doesn't match shtml and doc doesn't match docx. Of course, if you desire
that behavior, you can always use wildcards: sh.*
AssetFileExtensions defaults to an empty array.
Like DeniedAssetFileExtensions, AssetFileExtensions also accepts the
special value DEFAULT, although since the default value its an empty array,
the value is meaningless.
Please note that the implementation of this directive differs significantly from that in Movable Type and will need to be converted upon upgrade to Melody.
-
Original request for this feature: Enable admins to limit types of upload files (Case 6478)
-
Categories: Appendix: Configuration Directives
-
Tags: asset, config, extension, file, New in MT5, New in Melody 1.0.2, upload