Secure File Upload – Restrict files uploaded via WFFM by Mime type and file size
At the beginning of the year I posted a blog on a secure way to validate uploaded files that goes beyond checking the file extension. I have since redeveloped it from the ground up to exist as a self-contained module which is now available on the Sitecore Marketplace for Sitecore 8 all the way back to 6.5;
The Module is a secure and robust way to ensure that users are only able to upload files of a certain type and within a certain file size. Preventing any malicious attacks and human error. The default File Upload existing within WFFM doesn’t limit the type of file uploaded nor its size.
Whats more the Module now allows Content Editors to define the allowed File Types and Size for each Webforms for Marketers Form the Secure File Upload Field is added too. Freeing the Field to be used in a variety of applications.
The module ships with 23 Mime Types already defined. Furthermore, as the Mime Types are now stored as Sitecore Items, new ones can be added to meet all File Types used by the Client.
Secure File Upload Field
The Module contains a new
Custom Field Type for Webforms for Marketers – Secure File Upload. Once added to the Form there are a number of properties the Content Editor can change;
- Upload To – Location in Sitecore where the Files will be stored once uploaded
- Max file size – The maximum size the file can be in MB
- Items – The folder containing all possible Mime Types to select
- Selected Values – One or many Mime Types that are allowed to be uploaded
The Field implements the existing
ListItemsAdapter with significant modifications. Code to give control of the file size to the Content Editor and to handle if no size is provided.
The property to hold the list of Mime Types is defaulted to the File Types folder in Sitecore. The list’s Value property set to the Item’s ID, saving the Content Editor from searching for the folder each time and understanding that they must select the ID for the Value property.
File Type Validator
One of two validators in the Module, File Type Validator completes the
Mime Type sniffing of the file and compares the findings against known Mime Types.
The validator retrieves the permitted file types from File Types selected in the Secure File Upload field. The
selectedvalue property contains the
Id of File Type Sitecore Items which hold the values needed for the comparison.
The File Type Item is a simple Template that contains fields for
Byte Array Sequence of the mime type as a comma separated values and an optional
File Extension to help with accuracy. By default they are installed a path within Webforms for Marketers
/sitecore/system/Modules/Web Forms for Marketers/Settings/Meta data/File Types
From the collection of FileTypes chosen by the Content Editor the
MimeTypeAllowed method loops through them and compares the uploaded file
ByteArray for sequence matches.
File extension is used for further accuracy between similar Mime Types but is optional. If a file is matched to more than one Mime Type a match with the File Extension will be favoured.
File Size Validator
The File Size validator is as simple as the name suggests. It compares the size of the file uploaded to the size set against the Secure File Upload field. It could easily be applied to other fields providing they have a property of max file size.
If the limit is set left empty by the Content Editor any file size will be permitted.
And that’s it!
Content Editors given full control of the types of files and size their users upload on every form. Ensuring accuracy of what is being uploaded by their users and preventing malicious attacks. All that’s left if to use the default Captcha field to prevent automated attacks and everything is all good!
The full source code an be found on Github – https://github.com/islaytitans/FileUploadValidator