Secure the file upload functionality

Abstract

Strengthen the security of your Sitecore installation by controlling access to files that users upload.

You can strengthen the security of your Sitecore installation if you deny script and execute permissions for the upload folder.

This topic outlines how to:

Deny Script and Execute permissions for the upload folder

If you allow users to modify the content of the upload folder, you also give them the permissions to place scripts and executable programs in the folder. Executing these scripts and programs can cause an unexpected behavior on the server.

To avoid this, you can deny permissions to run scripts and executable files in the upload folder and thereby prevent an uploaded file from being executed on the server side when a user attempts to download it.

Note

You only need to perform this step if your configuration allows content authors to place files directly in the upload folder. For example, if you use a shared directory or FTP server, content authors can quickly place a lot of media in the media library.

To deny both Script and Execute permissions for the upload folder.

  1. Open the Internet Information Services (IIS) manager.

  2. Navigate to and click the upload folder for the relevant website, and then under the IIS section, double-click Handler Mappings

    FEE1C21AA0144F8FAE53E56913F4CE2C.png

  3. In the Actions pane, click Edit Feature Permissions.

  4. In the Edit Feature Permissions dialog box, clear the Script and Execute check boxes and click OK.

    76F6695E9E924EC1A8AF0FEE231C4E6A.png

If your configuration allows content authors to place files directly in the temp folder, for example, using a shared directory or an FTP server, you should also deny users Script and Execute permissions for the temp folder.

This also helps to avoid potential security problems, for example, if .aspx files are saved in the temp folder (for example, from custom code).

Disable the Upload Watcher

To ensure that the only way to upload files to Sitecore is from the Media Library, you should disable the Upload Watcher. This means that you can only upload files from within the Sitecore client and have control over the files that are uploaded.

When you disable the Upload Watcher, files that are placed in the upload folder are not automatically uploaded to the Media Library.

To disable the Upload Watcher:

  • Open the web.config file and remove the following string from the <system.webServer><modules> section:

    <add type="Sitecore.Resources.Media.UploadWatcher,Sitecore.Kernel" name="SitecoreUploadWatcher"/>

Prevent a user from uploading certain file types

If you want to have complete control and prevent users from uploading certain file types, for example, .exe and .dll, you can use the Upload Filter tool.

Download and install the Upload Filter tool

The Upload Filter tool is a Sitecore package that you can download.

The Upload Filter tool contains the following files:

File name

Destination folder

UploadFilter.config

Website\App_Config\Include\

UploadFilter.dll

WebSite\bin\

To install the Upload Filter tool:

  1. On the Sitecore Launchpad, click Control Panel.

  2. Under the Administration section, click Install a Package.

  3. Follow the steps in the wizard to first download the package and then install it.

Configure the Upload Filter tool

After you install the Upload Filter tool, you must configure it.

To configure the Upload Filter tool:

  1. Open the UploadFilter.config file.

    <processors>
      <uiUpload>
          <processor mode="on" type="Sitecore.Pipelines.Upload.CheckExtension, Sitecore.UploadFilter" patch:before="*[1]">
              <param desc="Allowed extensions (comma separated)"></param>
              <param desc="Blocked extensions (comma separated)">exe,dll</param>
          </processor>                
      </uiUpload>
</processors>

  2. To prevent users from uploading certain file types:

    • In the Allowed extensions parameter, enter a comma-separated list of the file extension types that can be uploaded.

      Or

    • In the Blocked extensions parameter, enter a comma-separated list of the file extension types that cannot be uploaded.

    You must enter the file extension without the dot.

    Important

    If you set the Allowed extensions parameter, the Blocked extensions parameter is ignored.

    If you try to upload a file type that is on the blocked list, you see the following message:

    74F6D313A62D4E069E8F31AE9BBF6B1B.png

Note

After you install the Upload Filter tool, the Upload dialog can freeze if an errors occurs during the upload process. This is a known issue for which there is a solution.