Allowing uploads of all file types in Drupal

by David Gilbert

I just switched the site over from b2evolution to Drupal. In migrating posts I needed to attach some javascript files to a blog-entry. As a security measure Drupal renames files with executable extensions ā€œphp|pl|py|cgi|asp|jsā€, appending an underscore and a ā€œ.TXTā€ extension. Thatā€™s reasonable. Whatā€™s odd is that there is no setting to provide an override, either to specific users, or site-wide.

My initial question asking if there was a setting to override this security feature met with limited response, so a bit of research later hereā€™s what I came up with.

Mainly what I found out is that this is a three-year old issue! Also, that we need to patch the core in order to prevent files being renamed and having .TXT appended. Nice. This is painful because itā€™s not obvious to new users why some files have .TXT appended to them, nor is it obvious how to work around this in cases where they may want to do that. The need for this behavior, enabled by default is obvious. But having a permission to override when needed seems like a no brainer. I donā€™t understand why this seems to have been patched numerous times, from 2005 to 2008, and still isnā€™t in the core. Go figure.

Future Reference

For anyone in the future:

  • this patch #144760 seems to be the most recent, but Iā€™m not sure how to find a specific patch associated with an issue. In the meantime I made my own patch, below.
  • The comment in #41561 is no longer valid ā€“ the module no longer exists. However, file.inc seems to be filtering ā€œphp|pl|py|cgi|asp|jsā€ and applying the .txt extension, which gave me a clue for my patch below.

A Workaround Patch

So using the technique from a post dating from 2005(!!!), I made the changes below.

Note that I suspect you should not make these changes to the core files but Iā€™m not yet sure how to make fine-grained (sub-function level) alterations to the core, so buyer-beware.

  1. Add a new upload permission: In the modules directory find the file upload.module, locate upload_perm() and add an extra permission ā€˜upload any filetypeā€™:
function upload_perm() {
  return array('upload files', 'view uploaded files', 'upload any filetype');
}
  1. Allow roles with ā€˜upload any filetypeā€™ to upload any filetypes: In the includes directory find the file file.inc, locate file_save_upload() and at line 533 (as of 6.2) change from:
if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt')) {

ā€¦to this, adding the ā€˜upload any filetypeā€™ condition at the end:

if (preg_match('/\.(php|pl|py|cgi|asp|js)$/i', $file->filename) && (substr($file->filename, -4) != '.txt') && (!user_access('upload any filetype')) ) {
  1. ***Assign the permission:***You can now navigate through your admin panel to admin/user/permissions and grant this permission to one or more roles.

Thatā€™s it. Hope someone else finds this useful.