CMS Made Simple Forums

Hi all,

I was wondering if you have any updated thoughts on admin portals, security boundaries, and authenticated vulnerabilities, specifically regarding file upload issues. For example, allowing PHAR and PHTML files while excluding PHP file extensions.
https://okankurtulus.com.tr/2023/06/26/ ... enticated/

I came across some older posts mentioning that adding controls wasn’t prioritized at the time, and I’d like to learn more about it from a developer’s perspective. I also noticed that a mitigation for PHP files was implemented in earlier versions and was wondering if there are plans to add more controls in the future.

Thank you for your time.
Best regards,
ninjacatdev

Our stance on this hasn't really changed. Given that site owners have the ability to add whatever code they like to their website, including PHP via User Defined Tags, restricting what they can upload wouldn't really improve security. At one point we restricted the uploading of PHP files but in retrospect this was likely a mistake as it brought about a lot of "but what about [every other filetype]?"

I think the only good option would be to have a configurable list of banned filetypes that site owners can add to, but this isn't high on our priority list. If a developer would like to submit this change we'd definitely consider it. The file manager and filepicker modules could also be forked should someone desire.