General developer forum

preventing users from uploading malicious files from the code level

 
Picture of Conn Warwicker
Re: preventing users from uploading malicious files from the code level
Core developersParticularly helpful MoodlersPlugin developers

I think you might have to do it yourself, it's been mentioned for a few years and I don't think they ever implemented a whitelist.

If you look at /repository/upload/lib.php

I believe the process_upload() function in there is called whenever someone uploads a file, and there is already some code in there for checking mimetypes, so it should just be a case of adding in an extra line or so, to look for, say a $CFG->allowed_types variable, or a config setting if you want to make an actual form for it in Site Admin.

 
Average of ratings: -