Uploaded image for project: 'XWiki Platform'
  1. XWiki Platform
  2. XWIKI-20266

Ability to restrict attachment upload based on mime types



    • Improvement
    • Resolution: Fixed
    • Major
    • 14.10
    • 13.10
    • Attachments
    • None
    • Unknown


      An option for whitelist and blacklist should be made available, preferably by MIME type, as long as this doesn't have limitations with custom file types.

      Quick analysis:


      • Note: max size of attachment is already supported and configurable per wiki (note: there's no UI for it ATM, only xobject edition)
      • Add an Admin UI to configure max size for attachments (impl note: possibly requires some refactoring to move the config property out of XWikiPreferences)
        • Using an xobject, no need for a UI in a first version
      • Provide a configuration in xwiki.properties and in the Admin UI (i.e. for each subwiki) to allow/disallow uploading attachments of given mime types or file extension (provide both a black list and a white list, and one have precedence over the other one)
      • The allowed/disallowed mime types would be only at user level and not at API level (i.e. not in the Attachment Store) so that applications and extensions can save any mime types/file extensions.
      • Modify the attachment upload UI ("choose files" in the attachment tab) to issue an error if the selected file is not of a supported mime type/file extension
      • Perform checks in all the end points uploading attachments
        • Modify the REST end point to check the config and return an error if not allowed
        • Modify the upload vm to check the config and return an error if not allowed
          • Provide a specific vm to display a proper error and not the generic stack trace vm (exception.vm)


      • Don't include the ability to disable attachment uploading (currently not possible) in a first version
      • We cannot guarantee 100% that attachments of a forbidden mime type will be prevented since getting the mime type is a guess based on the file extension + attachment content parsing (we would be relying on Tika to provide the mime type to us)


        Issue Links



              mleduc Manuel Leduc
              vmassol Vincent Massol
              0 Vote for this issue
              2 Start watching this issue