Skip to content

Security: Restrict direct attachment access and upload file types #681

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
anonymoususer72041 wants to merge 4 commits into
base: master
Choose a base branch
from
Open

Security: Restrict direct attachment access and upload file types #681

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
4 commits
Select commit Hold shift + click to select a range
de5c781
Deny direct HTTP access to attachments and require download via UI
anonymoususer72041 Dec 8, 2025
0b489bb
Add server-side whitelist for allowed attachment upload types
anonymoususer72041 Dec 8, 2025
215e59c
Avoid static FileUtility access in attachment upload validation
anonymoususer72041 Dec 8, 2025
3220f84
Revert "Avoid static FileUtility access in attachment upload validation"
anonymoususer72041 Dec 16, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 13 additions & 6 deletions attachments/.htaccess
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,8 +1,15 @@
AddHandler cgi-script .php .php2 .php3 .php4 .php5 .php6 .php7 .php8 .php9 .pl .py .js .jsp .asp .htm .html .$

Options -ExecCGI -Indexes

#grant access only if files with specific extensions are uploaded
<FilesMatch "(?i)\.(bmp|csv|doc|docx|heic|html|jpeg|jpg|msg|odg|odt|pages|pdf|png|ppt|pptx|rtf|tiff|wpd|wps|xls|xlsx|xps)$">
Require all granted
</FilesMatch>
# Deny all direct HTTP access to files stored in this directory.
# Attachments must be served through the application (AttachmentsUI) so that authentication and authorization checks are always enforced.

# For Apache 2.4 and later (using mod_authz_core): deny all requests to this directory.
<IfModule mod_authz_core.c>
Require all denied
</IfModule>

# For older Apache versions or when mod_authz_core is not available: use the legacy access control syntax to deny all requests to this directory.
<IfModule !mod_authz_core.c>
Order deny,allow
Deny from all
</IfModule>
21 changes: 21 additions & 0 deletions lib/Attachments.php
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -955,6 +955,27 @@ public function createFromUpload($dataItemType, $dataItemID, $fileField,
return false;
}

/* Restrict uploads to a whitelist of allowed file extensions.
* This is a server-side validation which cannot be bypassed by
* manipulating client-side restrictions.
*/
$allowedExtensions = array(
'bmp', 'csv', 'doc', 'docx', 'heic',
'jpeg', 'jpg', 'msg', 'odg', 'odt',
'pages', 'pdf', 'png', 'ppt', 'pptx',
'rtf', 'tiff', 'wpd', 'wps', 'xls',
'xlsx', 'xps'
);

$extension = FileUtility::getFileExtension($originalFilename);

if (!in_array($extension, $allowedExtensions, true))
{
$this->_isError = true;
$this->_error = 'This file type is not allowed for upload.';
return false;
}

/* This usually indicates an error. */
if ($fileSize <= 0)
{
Expand Down