Hmm, yes, the file can still be uploaded by the user, but what exactly is a malicious user? Someone who left the company and still has access to the system? Or someone who's hacked the system because of easy to guess passwords? Both scenario's are possible but this is not any different from any other system...

But to answer your question, you can't prevent the upload without some programming. But it would take just a single hour to wire up an event handler and either prevent the file from being uploaded/saved to disk or delete the malicious file.

If you really want this feature included in the core, suggest a work item on Codeplex and vote for it. If enough people vote for it, it may even make to the core.

Hope this helps.

Regards,

D/irk

Hi Dirk.

Thanks for the reply. I've already suffered from the second scenario you said: someone hacked the system because of easy to guess password. Then this hacker uploaded an asp script through the backend "images upload" to delete all possible files (in the folders with write permission). What a mess! I still don't know how I'm not fired on that day...

Can you show me only a start point to do this with programing? Because for now, I'm thinking about disable .asp files execution in the site (through IIS).

Thank you again, and sorry about my poor english.

Fernando

What is/was the solution?  Can you please share?

Hi Connie.

I developed a custom upload control (umbraco usercontrol wrapper .ascx) to upload images in the Media section. After that, I found another problem, but solved after some searching, as you can see in this other post.

Fernando

Is your custom control something you can or would share?  Or can you direct me to directions on how to create my own wrapper?  I haven't learned how to create this for Umbraco just yet.

Hi Connie.

Sorry for the long time, I was in vacation.

I'm preparing the control source to send for you. The language is VB.NET (the company programming language), ok?

Please tell me where to send the files.

Fernando

We're actually C# here, but perhaps we can convert your VB code.  Send to [email protected].

Thanks.

Hi Connie.

I sent the files, but with this control I'm havin problems with TinyMCE, so I decided to rollback to Umbraco default upload control.

For now I decided to download the source code of 4.5.2 stable and try to make some changes:
http://umbraco.codeplex.com/SourceControl/changeset/changes/ffc34b23e1a0

I hope it helps.

Fernando

Only for information about this topic... now solved by this way:

I created a key within appSettings at web.config:

<add key="MediaAllowedExtensions" value=".jpg,.jpeg,.gif,.png,.doc,.xls,.pdf,.zip,.wmv,.avi,.swf,.flv" />

After, modified the source code file "components/editorControls/uploadfield/uploadField.cs", within "public void Save()":

...
if (this.PostedFile != null)
{
    if (this.PostedFile.FileName != "")
    {
        /* Added: begin */
        // Doesn't allow file without extension:
        if (this.PostedFile.FileName.IndexOf(".") == -1) return;
        // Get allowed extensions in web.config:
        string sAllowed = System.Configuration.ConfigurationSettings.AppSettings["MediaAllowedExtensions"];
        // Get uploaded file extension (with point):
        string sExtension = this.PostedFile.FileName.Substring(this.PostedFile.FileName.LastIndexOf("."));
        // Check if extension is allowed:
        if (sAllowed.IndexOf(sExtension) == -1) return;
        /* Added: end */
        ...

After, rebuilt the project editorControls and changed dll (umbraco.editorControls.dll).

Hope it helps someone.

Fernando
Umbraco 4.5.2 for .net 3.5
Windows Server 2003 64 bits, IIS 6

is working on a reply...