Need ability to Limit the File Size and Restrict certain File types from Upload

[turner2f]

In the interest of SECURITY and server storage . . .
 

We need the ability to Limit the File Size and Restrict certain File types from Upload within the Support Manager ?

Such as for restricting .exe and .zip and .rar files

1) - This way the system does not get exploited via a shell script

2) - So that huge files do not get uploaded to the system and eat up server storage.

Need an option for this within the system's " Support Manager " .
 

==========

NOTE : Some Wordpress plugins have this ability.

Just inquiring to see if the same restriction function can be implemented into Blesta.

==========
 

If there is a way to accomplish this via an .htaccess or C-Panel,
please let us know with some intuitive instruction on how to do so .

Thanks in advance.

[Jono]

1) Make sure your uploads directory is not publicly accessible and this should not be an issue

2) Max file upload size can be controlled through your php.ini file using the upload_max_filesize option

[turner2f]

47 minutes ago, Jono said:

1) Make sure your uploads directory is not publicly accessible and this should not be an issue

2) Max file upload size can be controlled through your php.ini file using the upload_max_filesize option

 

 

@Jono

How do we make it so that the uploads folder is not publicly accessible ?

Instructions, please .

==========

IMPORTANT NOTE :

I was referring to restricting certain exploit file types directly through the Support Manager interface.

So that a person could not upload exploitative files as attachments to Support Tickets.

Such as "RAR", "ZIP", and "TXT" files .

 

How do we prevent that from happening ?

[Jono]

8 minutes ago, turner2f said:

How do we make it so that the uploads folder is not publicly accessible ?

Just make sure the folder is not under your root web directory.

9 minutes ago, turner2f said:

I was referring to restricting certain exploit file types directly through the Support Manager interface.

Certainly could, though I wouldn't call it a major security issue since filenames are already overwritten and there is no way for the files to be accessed unless someone has access to your server.  Still, https://dev.blesta.com/browse/CORE-3903

[turner2f]

@Jono

I tried reducing the file size to  " 0MB "  within C-Panel's " Multi PHP INI " editor.

upload_max_filesize          (  The maximum size of an uploaded file. )

------------

Regardless of the change, I was STILL able to upload a file to Blesta .

 

Please advise if there is a different way.

[Paul]

Sounds like whatever you changed did not work. Check that the value is set in your PHP Info.

<?php phpinfo(); ?>

 

[turner2f]

On 10/2/2020 at 7:07 PM, Paul said:

Sounds like whatever you changed did not work. Check that the value is set in your PHP Info.

<?php phpinfo(); ?>

 

 

@Paul @Jono
 

1ST ) - After making a change within C-Panel's " Multi PHP INI " editor.

NOTE : Within the dropdown I chose the home directory ( or the domain’s document ) root to open the corresponding PHP configuration for the SUB-folder that my "Blesta" installation is in.

I made the upload_max_filesize within C-Panel's " Multi PHP INI " editor to be " 0M "

-------------

 

2ND ) - I created a PHP Info file and inserted into the SUB-folder of my "Blesta" install, and got  . . .

upload_max_filesize= 0M  Local Value    &     2M   Master Value   =========   Not certain how to override this  "Master Value" or even how to locate it . Does it mean that there might be a different PHP.INI file that is outside the "Blesta" folder that is overriding the one on the inside ? If yes, could this be at the ROOT level of the server ? If yes, how do I get to it ?