Thread

While setting up member access to weblogs I keep getting the same error when logged as a member trying to upload a pdf or jpeg.

The file you are attempting to upload has invalid content for its MIME type.

When I access the same weblog as the administrator the files upload no problem. The problem only occurs when I’m logged in as a member.

Any suggestions?

You’ll need to edit /system/lib/mimes.php and add those mime types.

You’ll need to edit /system/lib/mimes.php and add those mime types.

Perhaps I’m not following correctly, the jpg and pdf mime types are already in the mimes.php file. The files I am trying to upload are .jpg and .pdf which work fine/great while I’m logged in as an administrator, but as soon as I login as a member when I try to upload it gives me the mime type error.

Am I missing what you meant?

Link

This link has some information about what might be causing the problems by your users. The solution is in there as well. See if that helps.

That did it. Thanks!

One of my users is getting the same problem uploading a PDF. Although when I check it logged in as a user rather than admin I just get “The filetype you are attempting to upload is not allowed”. I have checked the file upload settings and the mimes.php file and all look OK.

I have looked at the link to the solution, but that solution seems to be to turn off a security check. I would rather not remove a security check that I assume was put in for a good reason.

Is there a “proper” solution to this or is it a bug that needs fixing?

It is not a bug that needs fixing.  Can you test turning off the XSS sanitizing temporarily and see if that lets them upload, so we know if it is that or not?  You can turn it on after if you wish while we discuss the issue. =)

Turned off XSS and it allowed the upload.

Where do you allow file uploads? Is it only for entries or are you using a wiki or the forum module?  And what types of files do you generally expect? Right now that is a site-wide setting that it seems you need to turn off in your case.  You could certainly make a feature request to make it per-member group or with varying levels of strictness or some other option. =)

I set it to allow file uploads for a member group called Reporters at:
CP Home › Admin > Weblog Administration › File Upload Preferences > Edit File Upload Preferences.

And “Allow all file types”.

Reporters are using the Control Panel to Publish new entries.

I would expect pdf, doc, jpg, gif.
Isn’t this a very normal use of a CMS that the default setup should allow?

I also notice that there is no mention of XSS filtering in the User Guide section on Security and Session Preferences.

I tried uploading a gif, jpg and doc with XSS on and as a reporter and they all worked ok, so it looks like pdf’s are the problem.

Yes, PDFs tend to have some extra meta data that is being sanitized against as it can be used… in a bad way.  We make the default more strict to protect people, but if you need to open it up a bit for PDFs, then that’s fine. =)

A user was having the same issue and disabling the XSS filtering seems to resolve the issue.

Is the XSS sanitization disabled by default for super admins? Is that why I could not reproduce the error on my account but I could on a regular user account?

Thanks.

Yes, Super Admins are exempted from XSS file scanning.  Incidentally, we are working right now on some methods to help reduce the false positives that are generated by certain content types.  We won’t be able to eliminate them and still have any modicum of security, but we’re improving the balance.

Yes, Super Admins are exempted from XSS file scanning.  Incidentally, we are working right now on some methods to help reduce the false positives that are generated by certain content types.  We won’t be able to eliminate them and still have any modicum of security, but we’re improving the balance.

Nice to read about that. Hopefully it brings some light to us! thanks for that info Derek!

Yup, thanks for the reply Derek. I’m excited about 2.0 fo sho