We use cookies to help make our site work properly and to analyze how our site is used. Some are optional, but none contain your personal information, and we don't use any for ads. You can view our cookies policy, manage your cookie preferences, or consent and dismiss this banner by clicking agree:

Agree
ExpressionEngine CMS
Open, Free, Amazing

Thread

This is an archived forum and the content is probably no longer relevant, but is provided here for posterity.

The active forums are here.

security_error in file uploading with .vcf

July 02, 2011 4:08pm

Subscribe [5]

  • #1 / Jul 02, 2011 4:08pm

    gcylinder

    49 posts

    I’ve set my file upload preferences to be “All file types” for my upload directory, but when I try to upload vcard files with the .vcf suffix, I get a security_error.

    I looked at system/expressionengine/libraries/Filemanager.php and (I’m not a PHP expert by any means) the code seems to indicate that if “All file types” is selected, to allow file types with * file suffixes, or any file suffix. So I take it there are other steps I need to take to allow .vcf files to be uploaded when creating/editing entries, and maybe to be downloaded by the end user (as opposed to being displayed as text in the browser).

    Point me in the right direction? Other forum posts on vcards (that I’ve found anyway) seem to deal with creating vcards on-the-fly, and the one other post I found dealing with my kind of issue seems to deal with EE 1.x. Thanks in advance.

  • #2 / Jul 02, 2011 6:55pm

    narration

    773 posts

    Here’s something you can try.

    ExpressionEngine has these days exceedingly tight security for XSS - cross-site scripting security.

    It’s known to disallow uploading of many PDF files, for example, due to some content we’ve identified (printer intent) which may look like something the protection wants to stop.

    I’m not sure what could be in a VCF file that might look bad, but I have noticed other file types setting off the protection.

    What you can test is whether turning off XSS on uploaded files allows your VCF. You set that in Admin>Security and Privacy>Security and Sessions Preferences.

    Regards,
    Clive

  • #3 / Jul 02, 2011 7:27pm

    gcylinder

    49 posts

    Nuts. That didn’t work. But I appreciate the suggestion. (I didn’t think to look in the security settings.)

    This isn’t a deal-breaker for the site I’m working on, but I was always able to do it for similar client sites in EE 1.x. Kind of a bummer that there isn’t a way to add the file suffix/mime type.

  • #4 / Jul 05, 2011 9:48am

    Sue Crocker

    26054 posts

    Thanks for the assist, Clive.

    gcylinder, did you add the suffix to the mimes.php file? It may or may not work with XSS filtering turned on.

  • #5 / Jul 15, 2011 1:52pm

    kscot

    91 posts

    I just ran into this problem myself. Adding ‘vcf’ to the array in the mimes.php file did the trick! Add the following line of code:

    'vcf'   =>  'text/x-vcard'

  • #6 / Jul 15, 2011 1:56pm

    gcylinder

    49 posts

    Thanks, Sue and kscot, for the follow up. This requirement got dropped from my project, but it’s good to know the resolution for the future.

  • #7 / Jul 15, 2011 4:30pm

    Brandon Jones

    5500 posts

    Thanks kscot!

    gcylinder, sounds like you’re good to go for now but please post again if anything else comes up.

.(JavaScript must be enabled to view this email address)

ExpressionEngine News!

#eecms, #events, #releases

© Packet Tide, All Rights Reserved. Legal Notices

Username

Password

Forgot password?
or Register