<-- Back

File upload validation issue with allowed extensions in File Manager widget

Issue

Despite using the Allow Extensions option in the File Manager widget to restrict uploads to specific file types (such as PDF, DOC, and DOCX), the widget still accepts:

  • Files with double extensions (e.g., file.exe.png, file.svg.pdf)
  • Files with null byte extensions (e.g., file%00.docx)
  • Malicious files (e.g., .exe files renamed with allowed extensions)

The validation only checks the file extension and does not verify the actual file content or MIME type, allowing potentially malicious files to be uploaded successfully.

Environment

File Manager widget(all versions)

Cause

The FileManager widget's "Allowed Extensions" feature performs only basic validation by checking if the filename ends with the specified extension. This feature is not designed as a security mechanism and does not inspect the actual file content or MIME type to verify if it matches the provided extension. 

Solution / Workaround

To properly validate file content and mitigate the risk of malicious uploads, refer to the Scanning Uploaded Files for Malicious Content section in the Mendix documentation.

Internal information related

  • 257344
  • CJZ85RLTA/p1755678540440019

Additional information

Not Applicable

 

Have more questions? Submit a request

0 Comments

Article is closed for comments.

To provide feedback, please open a ticket here. Don't forget to include the article's URL along with the feedback you would like to provide.