Forbidden extensions in panel file upload

Hello,

Some file extensions seem to be forbidden in panel. I found the validation section in:

kirby/src/Cms/FileRules.php

public static function validExtension(File $file, string $extension): bool
{
	// make it easier to compare the extension
	$extension = strtolower($extension);

	if (empty($extension)) {
		throw new InvalidArgumentException([
			'key'  => 'file.extension.missing',
			'data' => ['filename' => $file->filename()]
		]);
	}

	if (V::in($extension, ['php', 'html', 'htm', 'exe', App::instance()->contentExtension()])) {
		throw new InvalidArgumentException([
			'key'  => 'file.extension.forbidden',
			'data' => ['extension' => $extension]
		]);
	}

	if (Str::contains($extension, 'php')) {
		throw new InvalidArgumentException([
			'key'  => 'file.type.forbidden',
			'data' => ['type' => 'PHP']
		]);
	}

	return true;
}

I need to allow upload of exe files. Is there a way I could extend FileRules object, or modify the behavior without touching Kirby sources? Of course it’s possible to just change the code by hand, but I have Kirby core as a Git submodule, and rather not do manual editing for every environment.

1 Like

For what purpose do you need those .exe files and why can’t you zip them before uploading? After all, this is a security measure and should ideally not be fiddled with.

I’m making a product download portal, where users can download product installers. Some of these installers are for Windows, hence having .exe extension. I would like all panel users to be able to set up product downloads for customers by using the panel only. Access to panel is limited to trusted personnel only.

The products can be zipped, or I can give SFTP-access to other panel users, but those are sub-optimal solutions compared to just being able to upload them. What exactly is the security risk this measure is countering?

Well, I guess it was done for a reason. If the server was not properly configured, those files could probably be executed (at least on a Windows system). Same for PHP or HTML files.

I don’t have an answer for you how you could overwrite those settings, maybe there is some way other than modifying the core that I’m not aware of.

We run our environments in Unix-based systems, so allowing upload of Windows executables should not be an issue. While the list of allowed extensions probably won’t (or shouldn’t) be a configurable parameter, it would be great to be able to extend the FileRules class via plugins and override the validation check – with own risk of course.

Fortunately it’s not a big deal to edit the source for each environment, so I’ll just deal with that. But for any future development, I’d like to hear if somebody has a bit more robust yet secure solution to this issue.