config deniedassetfileextensions

DeniedAssetFileExtensions

A configuration directive for specifying an explicit blacklist of file extensions allowed for uploaded files. Because an explicit blacklist implicitly means everything else is allowed, it is more permissive than its whitelist counterpart, AssetFileExtensions, which implicitly disallows everything that is not specified.

Please see AssetFileExtensions for details on syntax and usage.

Default value

DeniedAssetFileExtensions defaults to the following array of patterns:

• ascx
• asis
• asp
• aspx
• bat
• cfc
• cfm
• cgi
• cmd
• com
• cpl
• dll
• exe
• htaccess
• html?
• inc
• jhtml
• js
• jsb
• jsp
• mht(ml)?
• msi
• php[s\d]?
• phtml?
• pif
• pl
• pwml
• py
• reg
• scr
• sh
• shtml?
• vbs
• vxd

Special values

Like AssetFileExtensions, DeniedAssetFileExtensions also accepts the special value, DEFAULT (all caps!), which can be used extend the default list in your config.cgi. For example the following adds three MSFT Office formats to the list above:

DeniedAssetFileExtensions DEFAULT
DeniedAssetFileExtensions doc
DeniedAssetFileExtensions xls
DeniedAssetFileExtensions ppt

Without the DEFAULT value, the above would replace the default list with those three patterns.

While extending the list is simple, because of the precedence of the two configs, removing elements from the default list is impossible without reproducing the entire list of desired patterns.

A note for Movable Type users

Please note that the implementation of this directive differs significantly from that in Movable Type and will need to be converted upon upgrade to Melody.

Related

• Original request for this feature: Enable admins to limit types of upload files (Case 6478)

• Categories: Appendix: Configuration Directives

• Tags: asset, config, extension, file, New in MT5, New in Melody 1.0.2, upload