Concept - File Uploads Validation

Introduction

The Intershop Commerce Management (ICM) back office provides several places to upload files into the ICM shared file system (SFS). These files are images for product image assignment and attachment documents for products and promotions. The responsive starter store (RSS) storefront components also have an upload function for files.

This feature limits what files can be uploaded into the SFS. This prevents getting potential dangerous files into the browser of a customer who just wants to go shopping.

This document describes the file upload validation feature in detail and is intended for developers and back office users:

  • For developers, it describes details about the implementation and modification options.
  • For back office users, it describes how and where this functionality is used in the back office.

It is assumed the reader of this document is familiar with the ICM back office: at least the part where images or attachments for products, promotions, and components are involved.

Glossary

TermDescription
ICMIntershop Commerce Management
RSSThe Intershop responsive starter store  the demo store with which most ICM customizing projects start to develop and customize the ICM platform
SFSShared file system  a folder and subfolder structure in ICM where files are uploaded for later use (images, attachments, etc.).
OOTBOut of the Box - feature available in ICM

References

The following documentation is related to this feature:

Implemented  File Upload Validations

Since uploading any kind of file into the SFS is a security risk, the file upload validation feature is enabled by default.

It is not configurable in the ICM back office, but only in the database or via properties. However, it has no influence on already uploaded files, but only on new files when uploading.

Standard File Validations Are:

  • Checking file extensions against a configurable file extension whitelist
  • Checking if the file content matches what the file extension suggests

These types of validations can be replaced, removed, and extended with custom code. For details, see Cookbook - File Uploads Validation | Recipe: How to extend what the file analyzer checks.

Standard File Extension whitelists Are:

  • For images (product and content): jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip
  • For attachments (product and promotion): pdf, txt, jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip

The file extension whitelists default values can be replaced in the database and via properties. For details, see Cookbook - File Uploads Validation | Recipe: How to Configure This Feature for My Channel.

Configuration

This section explains how to change the configuration of the feature for different areas (global, specific channel) in ICM.

It uses the Configuration Framework to read the values.

There is no UI in the back office to change the configuration. So it should be decided during the setup phase of the shop.

Current Default Values and Explanation What Each Configuration Does

The configuration for the feature is stored as preference definition default values in the database.

There is a full set of key value pairs controlling the feature.

Preference/Property KeyCurrent Default ValueDescription
intershop.file.analyzer.upload.feature.enabledtrueEnables/disables the feature
intershop.file.analyzer.upload.enable.mediatype.checktrue
  • Enables/disables the media type check
  • Compares the media type of the file extension with the media type of the file content, e.g., Media Type Check - Details
intershop.file.analyzer.upload.product.image.extensionsjpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zipWhitelist of file extensions for product image upload, e.g., Image Management and (Master) Catalogs - Import & Export
intershop.file.analyzer.upload.product.attachment.extensionspdf,txt,jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zipWhitelist of file extensions for product attachment upload, e.g., (Master) Catalogs - Import & Export
intershop.file.analyzer.upload.promotion.attachment.extensionspdf,txt,jpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zipWhitelist of file extensions for promotion attachment upload, e.g., Marketing Promotion Attachments
intershop.file.analyzer.upload.content.image.extensionsjpg,jpeg,jpe,gif,png,bmp,webp,avif,svg,ico,tif,tiff,zipWhitelist of file extensions for component image upload, not yet used, e.g., Content Upload

Media Type Check - Details

The media type check compares the media type of the file extension with the media type of the file content.

The extension of a file basically describes what kind of data the file contains. Example: If a file has the .gif extension, we assume that it contains gif data.

But since the extension of a file can easily be manipulated, this check reads some data of the file to determine what type of file it is.

The media type check then compares the media type of both sources (extension and content). If it does not match, it might be manipulated and if the mediatype.check validation check is enabled, the file is not valid.

If it is disabled, only the file extensions are checked against the configured whitelisted extensions.

Individual Configurations

It is possible to replace the default values by creating domain-specific properties or storing domain-specific preferences in the database.

Each domain can have their own set of configuration values (e.g., inSPIRED, inSPIRED-inTRONICS, inSPIRED-inTRONICS_Business, inSPIRED-ResellerChannel).

So it can have one set of valid file extensions for one channel (e.g., inSPIRED-inTRONICS) and another set of extensions for another (e.g., inSPIRED-inTRONICS_Business).

Also see Cookbook - File Uploads Validation | Recipe: How to Configure This Feature for My Channel. This is based on the capabilities of the Configuration Framework .

Possible Configuration Issues

The back office UI file upload dialog displays the whitelisted file extensions and uses them to filter out files that do not match.

Depending on the configuration, it is also possible that all files are allowed and no file extension filter is present.

The file extension filter can be absent in the following cases:

  1. The feature is disabled on purpose and all files are allowed.
  2. The feature is enabled but the file extension whitelist cannot be found:
    1. Either the whitelist cannot be read, which might be related to an issue in the ISML module isFileContentExtensions, or
    2. The whitelist is not configured and left empty by mistake.

If the whitelist of file extensions is left empty by mistake, the file upload dialog looks as if the feature is disabled.

In this case, the server validation will block any file from being uploaded.

Back Office UI Example

Screenshot with valid configuration:

  • The feature is enabled with a proper file extension whitelist.


Screenshot with valid or invalid configuration:

  • The feature is disabled.
  • The feature is enabled with an empty (and therefore invalid) file extension whitelist.


ZIP Archive Handling (7.10.39)

ZIP archives are supported if the whitelist configuration contains the .zip extension.

When they get uploaded, their containing files get unzipped automatically into the selected target folder.

The validation of the ZIP archive depends on the configuration intershop.file.analyzer.upload.enable.mediatype.check.

Enabled Media Type Check

If the media type check is enabled:

  • A ZIP archive is validated by its file extension.
  • It is also checked whether the binary data of the ZIP archive matches the content of the Zip archive.
  • Every file within the ZIP archive is checked as follows:
    • The file extension of each file is checked against the whitelist.
    • For each file, it is verified whether it contains matching data, e.g., a for a file with .gif extension it is checked if its content matches .gif file data.
  • If one file inside the ZIP archive is not valid, the entire file is considered invalid and therefore rejected.
  • A ZIP archive inside a ZIP archive also results in the rejection of the entire file.

Disabled Media Type Check

If the media type check is disabled:

  • A ZIP archive is only validated by its file extension against the whitelist.
  • The contained files are not analyzed:
    • No file extension check.
    • No check of the content of the files inside the ZIP archive.

Diagram

ZIP-Archive Handling - (7.10.40+)

ZIP Archives are supported when the whitelist configuration contains the .zip extension.

When they get uploaded, the contained files get unzipped automatically into the selected target folder.

If the Media Type Check Is Enabled

  • A ZIP archive is validated by its file extension.
  • It is also checked if its binary data matches the content of a ZIP archive.
  • Every file within the ZIP archive is also checked as follows:
    • The file extension against the whitelist
    • Every file is verified if it contains matching data
      • e.g., a file with .gif extension vs. file content matches gif file data
  • If one file inside the ZIP archive is not valid, the entire file is considered invalid and therefore rejected
  • A ZIP archive inside a ZIP archive also results in the rejection of the entire file.

If the Media Type Check Is Disabled

  • A ZIP archive is only validated by its file extension against the whitelist.
  • File extensions of the contained files are checked against the whitelist but their media types do not get verified.
  • ZIP archives containing another ZIP archive are considered invalid.

Diagram

Back Office File Upload Locations

The following sections show various locations in the back office where files can be uploaded. 

Image Management

In the Image Management section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel).

Click path:

  1. Login to the organization back office (e.g., inSPIRED).
  2. From the main menu, select Master Catalogs | Image Management.


(Master) Catalogs - Import & Export

Product Image Upload and Product Attachment Upload of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel)

Click path:

  1. Login to the organization back office (e.g., inSPIRED).
  2. Switch to the partner channel with the select box in the top right corner (e.g., inSPIRED-ResellerChannel).
  3. From the main menu, select (Master) Catalogs | Import & Export.
  4. In the list of import and export possibilities:
    1. Under Product Image Upload, click the Manage product images link or the Upload button on the right.
    2. Under Product Attachment Upload, click the Manage product attachments link or the Upload button on the right.


Marketing - Promotion Attachments

Promotion Attachment Upload in a consumer channel (e.g., inSPIRED-inTRONICS)

Click path:

  1. Login to the organization back office (e.g., inSPIRED).
  2. Switch to the channel with the select box in the top right corner (e.g., inTRONICS).
  3. From the main menu, select Marketing | Promotion Attachment Upload.



Upload Dialog - Changes

File Upload Dialog

The upload dialog now contains the supported file extensions.

The All Files option is always available. If an invalid file has been selected, the check on the server side will still prevent the upload.

When clicking the Upload button, the file extensions and file contents are checked in the application server.

File Validation Error Message

When the file validation finds the file to be invalid, the following error message is displayed:


Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets