Document Properties
Kbid
306P91
Last Modified
27-Mar-2024
Added to KB
04-Jan-2023
Public Access
Everyone
Status
Online
Doc Type
Concepts
Product
  • ICM 7.10
  • ICM 11
  • ICM 12
Concept - File Upload Validation

Introduction

The Intershop Commerce Management (ICM) back office provides several locations for uploading files to the ICM shared file system (SFS). These files are images for product image assignment and attachment documents for products and promotions. The responsive starter store (RSS) storefront components also provide file upload functionality.

The file upload validation feature limits what files can be uploaded into the SFS. This prevents getting potential dangerous files into the browser of a customer who just wants to go shopping.

This document describes the file upload validation feature in detail and is intended for developers and back office users:

  • For developers, it describes details about the implementation and modification options.

  • For back office users, it describes how and where this functionality is used in the back office.

It is assumed the reader of this document is familiar with the ICM back office: at least the part where images or attachments for products, promotions, and components are involved.

Glossary

Term

Description

ICM

Intershop Commerce Management

RSS

The Intershop responsive starter store  the demo store with which most ICM customizing projects start to develop and customize the ICM platform

SFS

Shared file system  a folder and subfolder structure in ICM where files are uploaded for later use (images, attachments, etc.)

OOTB

Out of the Box - feature available in ICM

References

The following documentation is related to this feature:

Implemented  File Upload Validations

Since uploading any kind of file into the SFS is a security risk, the file upload validation feature is enabled by default.

It is not configurable in the ICM back office, but only in the database or via properties. However, it has no effect on already uploaded files, but only on new files during upload.

Standard file validations are:

  • Checking file extensions against a configurable file extension whitelist

  • Checking if the file content matches what the file extension suggests

These types of validations can be replaced, removed, and extended with custom code. For details, see Cookbook - File Upload Validation | Recipe: How to Extend File Analyzer Checks.

Standard file extension whitelists are:

  • For images (product and content): jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip

  • For attachments (product and promotion): pdf, txt, jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip

The file extension whitelists default values can be replaced in the database and via properties. For details, see Cookbook - File Upload Validation | Recipe: How to Configure This Feature for My Channel.

Configuration

This section explains how to change the configuration of the feature for different areas (global, specific channel) in ICM.

It uses the Configuration Framework to read the values.

There is no UI in the back office to change the configuration. So, it should be decided during the setup phase of the shop.

Current Default Values and Explanation What Each Configuration Does 

The configuration for the feature is stored as preference definition default values in the database.

There is a full set of key-value pairs that control the feature.

Preference/Property Key

Current Default Value

Description

intershop.file.analyzer.upload.feature.enabled

true

Enables/disables the feature

intershop.file.analyzer.upload.enable.mediatype.check

true

  • Enables/disables the media type check

  • Compares the media type of the file extension with the media type of the file content, e.g., Media Type Check - Details

intershop.file.analyzer.upload.product.image.extensions

jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zip

Whitelist of file extensions for product image upload, e.g., Image Management and (Master) Catalogs - Import & Export

intershop.file.analyzer.upload.product.attachment.extensions

pdf,txt,jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zip

Whitelist of file extensions for product attachment upload, e.g., (Master) Catalogs - Import & Export

intershop.file.analyzer.upload.promotion.attachment.extensions

pdf,txt,jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zip

Whitelist of file extensions for promotion attachment upload, e.g., Marketing Promotion Attachments

intershop.file.analyzer.upload.content.image.extensions

jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zip

Whitelist of file extensions for component image upload, e.g., Content Upload

Media Type Check - Details

The media type check compares the media type of the file extension with the media type of the file content.

The extension of a file basically describes what kind of data the file contains. Example: If a file has the .gif extension, we assume that it contains gif data.

However, since the extension of a file can be easily manipulated, this check reads data from the file to determine what type of file it is.

The media type check then compares the media type of both sources (extension and content). If it does not match, it might be manipulated and if the mediatype.check validation check is enabled, the file is not valid.

If the check is disabled, only the file extensions are checked against the configured whitelisted extensions.

Individual Configurations

It is possible to replace the default values by creating domain-specific properties or storing domain-specific preferences in the database.

Each domain can have their own set of configuration values (e.g., inSPIRED, inSPIRED-inTRONICS, inSPIRED-inTRONICS_Business, inSPIRED-ResellerChannel).

So it can have one set of valid file extensions for one channel (e.g., inSPIRED-inTRONICS) and another set of extensions for another (e.g., inSPIRED-inTRONICS_Business).

Also see Cookbook - File Upload Validation | Recipe: How to Configure This Feature for My Channel. This is based on the capabilities of the Configuration Framework .

Possible Configuration Issues

The back office UI file upload dialog displays the whitelisted file extensions and uses them to filter out files that do not match.

Depending on the configuration, it is also possible that all files are allowed and no file extension filter is present.

The file extension filter can be absent in the following cases:

  1. The feature is disabled on purpose and all files are allowed.

  2. The feature is enabled but the file extension whitelist cannot be found:

    1. Either the whitelist cannot be read, which might be related to an issue in the ISML module isFileContentExtensions, or

    2. The whitelist is not configured and left empty by mistake.

If the whitelist of file extensions is left empty by mistake, the file upload dialog looks as if the feature is disabled.

In this case, the server validation will block any file from being uploaded.

Back Office UI Example

Screenshot with valid configuration:

  • The feature is enabled with a proper file extension whitelist.


Screenshot with valid or invalid configuration:

  • The feature is disabled.

  • The feature is enabled with an empty (and therefore invalid) file extension whitelist.

ZIP Archive Handling (7.10.39)

ZIP archives are supported if the whitelist configuration includes the .zip extension.

When they are uploaded, the files they contain are automatically unzipped to the selected destination folder.

The validation of the ZIP archive depends on the configuration intershop.file.analyzer.upload.enable.mediatype.check.

Enabled Media Type Check

If the media type check is enabled:

  • A ZIP archive is validated by its file extension.

  • It is also checked whether the binary data of the ZIP archive matches the content of the ZIP archive.

  • Every file within the ZIP archive is checked as follows:

    • The file extension of each file is checked against the whitelist.

    • For each file, it is verified whether it contains matching data, e.g., for a file with .gif extension it is checked if its content matches .gif file data.

  • If one file inside the ZIP archive is not valid, the entire file is considered invalid and therefore rejected.

  • A ZIP archive inside a ZIP archive also results in the rejection of the entire file.

Disabled Media Type Check

If the media type check is disabled:

  • A ZIP archive is only validated by its file extension against the whitelist.

  • The contained files are not analyzed:

    • No file extension check

    • No check of the content of the files inside the ZIP archive

Diagram

ZIP Archive Handling - (7.10.40.4)

The handling is similar to 7.10.39, but from 7.10.40.4, the file extensions within a ZIP archive are still checked, even if the media type check is disabled.

For information on the default settings, refer to Current Default Values and Explanation What Each Configuration Does.

Diagram

Back Office File Upload Locations

The following sections show various locations in the back office where files can be uploaded. 

Image Management

This upload location can be found in the Image Management section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel).

Click path:

  1. Log in to the organization back office (e.g., inSPIRED).

  2. From the main menu, select Master Catalogs | Image Management.

(Master) Catalogs - Import & Export

This upload location can be found in the Product Image Upload and Product Attachment Upload section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel)

Click path:

  1. Log in to the organization back office (e.g., inSPIRED).

  2. Use the management context selector in the upper right to switch to the channel (e.g., inSPIRED-ResellerChannel).

  3. From the main menu, select (Master) Catalogs | Import & Export.

  4. In the list of import and export options:

    1. Under Product Image Upload, click the Manage product images link or the Upload button on the right.

    2. Under Product Attachment Upload, click the Manage product attachments link or the Upload button on the right.


Marketing - Promotion Attachments

This upload location can be found in the Promotion Attachment Upload section in a consumer channel (e.g., inSPIRED-inTRONICS).

Click path:

  1. Log in to the organization back office (e.g., inSPIRED).

  2. Use the management context selector in the upper right to switch to the channel (e.g., inTRONICS).

  3. From the main menu, select Marketing | Promotion Attachment Upload.

Content Upload (7.10.40.4)

Content Upload for an Organization 

Click path:

  1. Log in to Intershop Commerce Management.

  2. Use the management context selector in the upper right to switch to the organization (e.g., inSPIRED).

  3. From the main menu, select Master Content | Content Upload.

    Content(-Master)-ContentUpload3.jpg

Content Upload for a Channel

Click path:

  1. Log in to the Intershop Commerce Management.

  2. Use the management context selector in the upper right to select a channel as management context (e.g., inTRONICS).

  3. From the main menu, select Content | Content Upload.

    Content(-Channel)-ContentUpload3.jpg

Content Upload for an Application

Click path:

  1. Login to the organization back office (e.g., inSPIRED).

  2. Select an application as management context (e.g., B2C - Responsive).

  3. From the main menu, select Content | Content Upload.

    Content(-Application)-ContentUpload3.jpg

Content Upload with TinyMCE - Editor

These dialogs are available for the master content in the organization (e.g., inSPIRED), the content in the channel (e.g., inTRONICS), and in the application (e.g., B2C - Responsive).

They only differ in step 3 - Server Browser showing a different SFS folder for uploading new content.

This approach supports the upload of multiple files at the same time. If one file is invalid, all files will be rejected.

Click path:

  1. Log in to the organization back office (e.g., inSPIRED).

  2. Stay at organization level (e.g., inSPIRED) or use the management context selector in the top right corner to switch to:

    1. The channel (e.g., inTRONICS)

    2. The application (e.g., B2C - Responsive)

  3. From the main menu, select:

    1. For the organization Master Content | Master Components

    2. For the channel and application Content | Components

  4. Open the details of a component, for example, About Us.

  5. Click Insert and follow these steps:

    1. Choose Media or Image:

    2. Click the Source icon:

    3. Click the Upload button in the Server Browser:

    4. Click Upload in the Upload dialog.

Tiny MCE - Quick Insert Toolbar

Before the introduction of file validation, there was a quick insert toolbar available. It was allowing for a fast insertion of images and of 2x2 tables on empty lines. 

The quick image insert was bypassing file validation by directly adding the file Base64 encoded to the HTML, instead of uploading it to the SFS through the Server Browser. The configured file extensions were also ignored.

Therefore, this toolbar has been disabled by default. To enable this feature, see Cookbook - File Upload Validation | Recipe: How to Enable TinyMCE Quick Insert Toolbar (7.10.40.4).

Upload Dialog - Changes

File Upload Dialog

The upload dialog contains the supported file extensions.

The All Files option is always available. If an invalid file is selected, the server-side check will still prevent the upload.

When you click the Upload button, the application server checks the file extensions and file contents.

File Validation Error Message

If the file validation finds the file to be invalid, the following error message is displayed:

Disclaimer
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.
Home
Knowledge Base
Product Releases
Log on to continue
This Knowledge Base document is reserved for registered customers.
Log on with your Intershop Entra ID to continue.
Write an email to supportadmin@intershop.de if you experience login issues,
or if you want to register as customer.