Contrib.social

Allow to change upload formats for managed_file

Open on Drupal.org →
Created on 8 June 2023, over 1 year ago
Updated 20 August 2024, 3 months ago

There is currently no way to change the formats for adding files

✨ Feature request
Status

Needs work

Version

1.0

Component

Code

Created by

🇺🇦Ukraine NotifyOne

Live updates comments and jobs are added and updated live.
  • Needs issue summary update

    Issue summaries save everyone time if they are kept up-to-date. See Update issue summary task instructions.

Sign in to follow issues

Merge Requests

Comments & Activities

  • Issue created by @NotifyOne
  • Status changed to Needs work over 1 year ago
  • Comment over 1 year ago →
    🇺🇦Ukraine NotifyOne
  • Merge request !11Issue#3365618: Allow to set upload extensions → (Open) created by NotifyOne
  • Open in Jenkins → Open on Drupal.org →
    Core: 10.0.7 + Environment: PHP 7.4 & MySQL 5.7
    last update over 1 year ago
    Composer require failure
  • Status changed to Needs review over 1 year ago
  • Comment over 1 year ago →
    🇺🇦Ukraine NotifyOne
  • Issue was unassigned.
  • Comment over 1 year ago →
    🇺🇦Ukraine NotifyOne
  • Status changed to RTBC over 1 year ago
  • Comment over 1 year ago →
    🇮🇳India shyam_bhatt Gujarat

    I have checked the "MR !11" working fine with the field type "managed_file".

    Please check the below steps:

    1. Install and enable the Menu Link Attributes module.
    2. Go to the configuration page "/admin/config/menu_link_attributes/config".
    3. Add the "managed_file" field as per the below code:
      icon-attr:
    label: 'icon label'
    type: managed_file
    upload_location: 'public://module-images/menu-link-images/'
    file_validate_extensions: 'gif png'

    The "file_validate_extensions" key was added to the patch. so we can restrict the file with different extensions.
    Please check the after image.

    It will not allow a jpg file.

    It will allow only png and gif files.

  • Assigned to jcnventura
  • Comment 3 months ago →
    🇩🇪Germany Anybody Porta Westfalica

    @jcnventura: What do you think about this addition as original maintainer? I'd like to have a sign-off first, before merging this. Thanks!

  • Status changed to Needs work 3 months ago
  • Comment 3 months ago →
    🇵🇹Portugal jcnventura

    First, to clarify that the original maintainer is @yannickoo.

    Second, this change has security implications that may not be transparent to site administrators. With this, the person responsible for managing the menu can now define both where an upload is added and the file type. I don't think it would be too hard to use this to now inject a malicious JS or PHP file in the system somewhere where it is an XSS or code injection problem.

    I know it is a pain to maintain, but this should really use a hard-coded allowlist of possible extensions (jpg, jpeg, gif, png, svg, etc.) and only apply those extensions that are in the whitelist.

    Also note that this may not be compatible with Drupal 11: https://www.drupal.org/node/3363700 →

    This coupled to the fact that the issue summary doesn't even say why this would be a nice feature to have leave me with a lot of reservations on whether this is RTBC. I'm setting this to needs work, so that we are sure to have a system that works with the new file.validator service, and also to somehow block the security issue that I believe this is introducing.

  • Issue was unassigned.
  • Comment 3 months ago →
    🇩🇪Germany Anybody Porta Westfalica

    Thanks @jcnventura my feelings were the same and sorry I thought you were the original maintainer :)

  • Comment 3 months ago →
    🇩🇪Germany Anybody Porta Westfalica

    Setting this to minor until we have a clear issue summary pointing out why this is needed / useful. Added tags to sum up #8

  • First commit to issue fork.
  • Pipeline finished with Success
    3 months ago
    Total: 144s
    #259042
contrib.social Blog FAQ Discussions
Production build 0.71.5 2024