Invalid file types

Hi everyone,

We build a tool using kirby which essentially lets our operations team internally upload small files from either corp or production network. On submit it creates a page in another folder and adds the uploaded files to the page. That’s all working, however we need to be able to upload files with extensions like .srt / .ttml / .otf / .stl / .msg and .htm.

Some of them throw an invalid file type error when no file blueprint with accept: mime: exists. When we do add the file blueprint and we’re trying to upload e.g. a .srt subtitle file we’re getting an error like below. I know you can overwrite existing core classes, so I’m assuming this would be the way to go here? Any guideline how I would start with that? Or is there another way to accomplish this?

I know I could set mime to null to skip checking the mime types, but we’d prefer to still have a list of accepted file extensions. It’s a workaround for sure but I’d still prefer to be able to control the list of accepted extensions.

Kirby\Filesystem\Mime::matches(): Argument #1 ($test) must be of type string, null given, called in ..project\kirby\src\Filesystem\File.php on line 284


For other than default file types, you would have to register these file types first, see Files | Kirby CMS.

Also make sure that your server has the right mime types defined for each of these extensions.

Ohhh I did miss that option @texnixe. Thank you thats working now for all the extra file extensions other then .htm. To get .htm files allowed I’d have to overwrite the FileRules class correct? Cause I do see the catch inside function validExtensionwhich which prevents to upload htm* files. Since this is an internal tool and not facing the www I don’t have any concerns to upload those files.

if (Str::contains($extension, 'htm') !== false) {
	throw new InvalidArgumentException([
		'key'  => 'file.type.forbidden',
		'data' => ['type' => 'HTML']

Right, htm files are disallowed in general.

There are no file models right? I could simply remove those lines above from the FileRules.php file but I don’t want to do that everytime we update Kirby. Just trying to figure out the best approach to this.

No, there are no file models, you would have to create a custom file class instead.

I digged a little further and totally forgot that all files uploaded/submitted by the form already get a file extension of .tmp. So instead of removing the check for a file extension of .htm I’ve removed the mime type check below inside the fileRules → validMime function, before working on a custom file class.

if (V::in($mime, ['text/html', 'application/x-msdownload'])) {
	throw new InvalidArgumentException([
		'key'  => 'file.mime.forbidden',
		'data' => ['mime' => $mime]

After removing the lines I’m getting a new error which looks like Kirby is trying to read the entire file and therefor seems to throw an error. I know that there’s a security reason that .htm files are prohibited to be uploaded but there must be a way to get this allowed… at least I hope so. I also can’t identify from where this error originates from.

The "lang" attribute (line 2) is not allowed: Not included in the global allowlist
The "xmlns:v" attribute (line 5) is not allowed: Not included in the global allowlist

I guess that comes from the Sane class and its handlers for svg and xml files (and by extension then also html).

Yes that seems right… I know this is not an ideal solution but for now I renamed the Sane->HTML.php class to continue further testing. Unfortunately for this project/tool we really need to have those file types allowed to be uploaded.

The other solution I was thinking of is excluding .htm or .html files from the $page->createFile() bit in our code and instead move them after page creation to the page directory. I guess the only caveat would be that $page->files() would not return them. But I could work around that…

Regarding the allowed attributes see also

1 Like