Help
Ask questions about how to do or fix things in Arrowchat
User avatar
JInfem
Customer
 
Posts: 6
Joined: 21 Jul 2016, 21:13

 

by JInfem 22 Jul 2016, 09:20

Is there a PHP file that we can modify to limit the types of files that can be uploaded by users? I want to limit them to images, so that they can't upload potentially malicious files (e.g., EXE, PHP, ZIP, etc). Allowing any/all file types to be uploaded by all users can be a major security issue. I've disabled the upload feature for now until I can get this resolved. Thanks for all of your hard work in building this chat!
User avatar
Jason
ArrowChat Team
 
Posts: 2157
Joined: 12 Dec 2009, 16:06

 

by Jason 22 Jul 2016, 11:44

There already are restricted file types. As far as I know, there is no real way to disable people from trying to upload any file type, but the code in the back-end checks for that and will not allow it.

ArrowChat also does not allow the direct execution or download of an uploaded file which is an additional security layer.
User avatar
JInfem
Customer
 
Posts: 6
Joined: 21 Jul 2016, 21:13

 

by JInfem 24 Jul 2016, 09:01

Thanks for getting back with me so quickly. It certainly helps to know that direct execution is prevented. In my testing, I was able to upload zip, txt, and doc files, but not exe. By chance, do you know what file performs the back-end check so that we can limit it further?
User avatar
SDFltd
Customer
 
Posts: 1
Joined: 15 Jul 2019, 02:42

 

by SDFltd 17 Jul 2019, 03:49

I would love to know if you were able to find where to restrict the file types.

Clearly define the allowed file extensions should be a featured for future upgrades.
User avatar
RMcDowell
Customer
 
Posts: 5
Joined: 18 Apr 2016, 19:32

 

by RMcDowell 06 May 2020, 06:34

I would love to know if you were able to find where to restrict the file types.

Clearly define the allowed file extensions should be a featured for future upgrades.
Any update on this
User avatar
zoxtrix
Customer
 
Posts: 68
Joined: 29 Jun 2019, 19:31

 

by zoxtrix 06 May 2020, 10:06

I would love to know if you were able to find where to restrict the file types.

Clearly define the allowed file extensions should be a featured for future upgrades.
Any update on this
The uploadable file types are controlled by the file extension list at arrowchat/includes/classes/class_uploads.php

Look for the following allowed file types directive code:
Code: Select all
	// ###################### START MAIN UPLOAD SCRIPT #######################
	if (!empty($_FILES)) 
	{
		if ($file_transfer_on == 1 || $chatroom_transfer_on == 1)
		{
			$fileTypes = array('jpg', 'jpeg', 'gif', 'png', 'doc', 'txt', 'zip', 'mp4', 'rar', 'wmv', 'mp3', 'avi'); // Allowed file types
and change or add extensions to your liking.
User avatar
zoxtrix
Customer
 
Posts: 68
Joined: 29 Jun 2019, 19:31

 

by zoxtrix 06 May 2020, 10:23

The current default allowed file types line for v3.0.x looks like this:
Code: Select all
$fileTypes = array('avi', 'bmp', 'doc', 'docx', 'gif', 'ico', 'jpeg', 'jpg', 'mp3', 'mp4', 'pdf', 'png', 'ppt', 'pptx', 'rar', 'tar', 'txt', 'wav', 'wmv', 'xls', 'xlsx', 'zip', '7z'); // Allowed file types
Just remove the extensions you wish to preclude.