Check for valid file extensions is not enforced everywhere

[Michael]

Since it is possible to set allowed/denied file extensions for all 4 file types, there properties should be checked everywhere a file is going to be upload.

For example, if you upload a file directly through the image plugin it checks for a valid extension. If you upload through the file browser, it does not check for extensions. It has to be made on the server.

This complete coverage would make it superfluous to check for the extension on the server-side.

[Alfonso Martínez de Lizarrondo]

You've got the last point. The superfluous thing is the javascript check as it can be easily bypassed by anyone that uses a custom script to upload a file directly to the server.

The javascript check is useful to avoid wasting time uploading a file that will be rejected by the server, but in no way it can be trusted as a security measure.

[Michael]

Alfons,

makes absolutely sense. We should then double check everywhere when upload files not only the quick uploader.

[Frederico Caldeira Knabben]

This ticket does not identify a bug, but a missing feature. It is a request to have the file extension checked on the client side for uploads in the File Browser.

The fact is that the Upload Tab in the dialogs, are part of the FCKeditor interface. Therefore, it is ok to have settings in the fckconfig.js file, that list the allowed/denied extensions to be uploaded through those tabs.

In the other hand, it is well know that FCKeditor integrates transparently with File Managers through the "Browse Server" button. But, it is important to note that FCKeditor and the File Manager (including the default one), are completely separated applications.

The current settings in fckconfig.js actually represent a problem, as they are not automatically aligned with the extensions set in the file browser configuration file. So, to make it work properly, changes in one configuration file must be copied to the other one.

We could instead work to make the File Browser "intelligent", retrieving from the server the list of extensions, enforcing client side checks according to it. We should definitely propose such feature at our advanced File Manager, CKFinder. The default File Browser may live without it as this is not a critical thing.

This "intelligent" approach would work well for the File Browser, but not for the Upload Tabs instead, as the tabs don't know the File Browser features. So, for the tabs, we would still have the fckconfig.js settings as a facility.

In all cases anyway, we must ensure all security checks in the server side, as we are already doing today.