The Intershop Commerce Management (ICM) back office provides several places to upload files into the ICM shared file system (SFS). These files are images for product image assignment and attachment documents for products and promotions. The responsive starter store (RSS) storefront components also have an upload function for files.
This feature limits what files can be uploaded into the SFS. This prevents getting potential dangerous files into the browser of a customer who just wants to go shopping.
This document describes the file upload validation feature in detail and is intended for developers and back office users:
It is assumed the reader of this document is familiar with the ICM back office: at least the part where images or attachments for products, promotions, and components are involved.
|ICM||Intershop Commerce Management|
|RSS||The Intershop responsive starter store – the demo store with which most ICM customizing projects start to develop and customize the ICM platform|
|SFS||Shared file system – a folder and subfolder structure in ICM where files are uploaded for later use (images, attachments, etc.).|
|OOTB||Out of the Box - feature available in ICM|
The following documentation is related to this feature:
Since uploading any kind of file into the SFS is a security risk, the file upload validation feature is enabled by default.
It is not configurable in the ICM back office, but only in the database or via properties. However, it has no influence on already uploaded files, but only on new files when uploading.
Standard File Validations Are:
These types of validations can be replaced, removed, and extended with custom code. For details, see Cookbook - File Uploads Validation | Recipe: How to extend what the file analyzer checks.
Standard File Extension whitelists Are:
The file extension whitelists default values can be replaced in the database and via properties. For details, see Cookbook - File Uploads Validation | Recipe: How to Configure This Feature for My Channel.
This section explains how to change the configuration of the feature for different areas (global, specific channel) in ICM.
It uses the Configuration Framework to read the values.
There is no UI in the back office to change the configuration. So it should be decided during the setup phase of the shop.
The configuration for the feature is stored as preference definition default values in the database.
There is a full set of key value pairs controlling the feature.
|Preference/Property Key||Current Default Value||Description|
|Enables/disables the feature|
|Whitelist of file extensions for product image upload, e.g., Image Management and (Master) Catalogs - Import & Export|
|Whitelist of file extensions for product attachment upload, e.g., (Master) Catalogs - Import & Export|
|Whitelist of file extensions for promotion attachment upload, e.g., Marketing Promotion Attachments|
|Whitelist of file extensions for component image upload, not yet used, e.g., Content Upload|
The media type check compares the media type of the file extension with the media type of the file content.
The extension of a file basically describes what kind of data the file contains. Example: If a file has the .gif extension, we assume that it contains gif data.
But since the extension of a file can easily be manipulated, this check reads some data of the file to determine what type of file it is.
The media type check then compares the media type of both sources (extension and content). If it does not match, it might be manipulated and if the
mediatype.check validation check is enabled, the file is not valid.
If it is disabled, only the file extensions are checked against the configured whitelisted extensions.
It is possible to replace the default values by creating domain-specific properties or storing domain-specific preferences in the database.
Each domain can have their own set of configuration values (e.g., inSPIRED, inSPIRED-inTRONICS, inSPIRED-inTRONICS_Business, inSPIRED-ResellerChannel).
So it can have one set of valid file extensions for one channel (e.g., inSPIRED-inTRONICS) and another set of extensions for another (e.g., inSPIRED-inTRONICS_Business).
Also see Cookbook - File Uploads Validation | Recipe: How to Configure This Feature for My Channel. This is based on the capabilities of the Configuration Framework .
The back office UI file upload dialog displays the whitelisted file extensions and uses them to filter out files that do not match.
Depending on the configuration, it is also possible that all files are allowed and no file extension filter is present.
The file extension filter can be absent in the following cases:
If the whitelist of file extensions is left empty by mistake, the file upload dialog looks as if the feature is disabled.
In this case, the server validation will block any file from being uploaded.
Screenshot with valid configuration:
Screenshot with valid or invalid configuration:
ZIP archives are supported if the whitelist configuration contains the .zip extension.
When they get uploaded, their containing files get unzipped automatically into the selected target folder.
The validation of the ZIP archive depends on the configuration
If the media type check is enabled:
If the media type check is disabled:
The handling is similar to 7.10.39, but from 7.10.40+, the file extensions within a zip archive are still checked, even if the media type check is disabled.
For information on the default settings, refer to Current Default Values and Explanation What Each Configuration Does.
The following sections show various locations in the back office where files can be uploaded.
In the Image Management section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel).
Product Image Upload and Product Attachment Upload of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel)
Promotion Attachment Upload in a consumer channel (e.g., inSPIRED-inTRONICS)
The upload dialog now contains the supported file extensions.
The All Files option is always available. If an invalid file is selected, the server-side check will still prevent the upload.
When you click the Upload button, the application server checks the file extensions and file contents.
If the file validation finds the file to be invalid, the following error message is displayed:
The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.