Allowedextensions in cffile

How do I define I want to allow ALL extension for cffile. The documentation does not offer this information and the * which is said from Adobe does not seem to work.

The docs for Lucee imply that it should be “any” (<cffile> :: Lucee Documentation). I’ve not tested it or looked at the Lucee source.

Note that it also supports a block feature also (in Lucee), and at both the tag and app level. You may have some conflict there.

I think I know the cause. From the documentation of Lucees Environment Variables and Properties you will find LUCEE_UPLOAD_BLOCKLIST. Quote:

By default Lucee will block a set of files that have potential risk. Use this setting to have more control over Lucees default settings.

This is because of “security by default” set here in Lucee source. You may override it by setting for example

this.blockedExtForFileUpload="asp,aspx,cfc,cfm,cfml,do,htm,html,jsp,jspx,php";

in your Application.cfc or setting the environment variables or properties as described in the Environment Variables documentation.

1 Like