The Intershop Commerce Management (ICM) back office provides several locations for uploading files to the ICM shared file system (SFS). These files are images for product image assignment and attachment documents for products and promotions. The responsive starter store (RSS) storefront components also provide file upload functionality.
The file upload validation feature limits what files can be uploaded into the SFS. This prevents getting potential dangerous files into the browser of a customer who just wants to go shopping.
This document describes the file upload validation feature in detail and is intended for developers and back office users:
For developers, it describes details about the implementation and modification options.
For back office users, it describes how and where this functionality is used in the back office.
It is assumed the reader of this document is familiar with the ICM back office: at least the part where images or attachments for products, promotions, and components are involved.
Term | Description |
---|---|
ICM | Intershop Commerce Management |
RSS | The Intershop responsive starter store – the demo store with which most ICM customizing projects start to develop and customize the ICM platform |
SFS | Shared file system – a folder and subfolder structure in ICM where files are uploaded for later use (images, attachments, etc.) |
OOTB | Out of the Box - feature available in ICM |
The following documentation is related to this feature:
Concept - Image Framework | Image Upload - Shared File System
Concept - Configuration – used in the implementation to configure the feature and describe customization details
Since uploading any kind of file into the SFS is a security risk, the file upload validation feature is enabled by default.
It is not configurable in the ICM back office, but only in the database or via properties. However, it has no effect on already uploaded files, but only on new files during upload.
Standard file validations are:
Checking file extensions against a configurable file extension whitelist
Checking if the file content matches what the file extension suggests
These types of validations can be replaced, removed, and extended with custom code. For details, see Cookbook - File Upload Validation | Recipe: How to Extend File Analyzer Checks.
Standard file extension whitelists are:
For images (product and content): jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip
For attachments (product and promotion): pdf, txt, jpg, jpeg, jpe, gif, png, bmp, webp, avif, svg, ico, tif, tiff, zip
The file extension whitelists default values can be replaced in the database and via properties. For details, see Cookbook - File Upload Validation | Recipe: How to Configure This Feature for My Channel.
This section explains how to change the configuration of the feature for different areas (global, specific channel) in ICM.
It uses the Configuration Framework to read the values.
There is no UI in the back office to change the configuration. So, it should be decided during the setup phase of the shop.
The configuration for the feature is stored as preference definition default values in the database.
There is a full set of key-value pairs that control the feature.
Preference/Property Key | Current Default Value | Description |
---|---|---|
|
| Enables/disables the feature |
|
|
|
|
| Whitelist of file extensions for product image upload, e.g., Image Management and (Master) Catalogs - Import & Export |
|
| Whitelist of file extensions for product attachment upload, e.g., (Master) Catalogs - Import & Export |
|
| Whitelist of file extensions for promotion attachment upload, e.g., Marketing Promotion Attachments |
|
| Whitelist of file extensions for component image upload, e.g., Content Upload |
The media type check compares the media type of the file extension with the media type of the file content.
The extension of a file basically describes what kind of data the file contains. Example: If a file has the .gif extension, we assume that it contains gif data.
However, since the extension of a file can be easily manipulated, this check reads data from the file to determine what type of file it is.
The media type check then compares the media type of both sources (extension and content). If it does not match, it might be manipulated and if the mediatype.check
validation check is enabled, the file is not valid.
If the check is disabled, only the file extensions are checked against the configured whitelisted extensions.
It is possible to replace the default values by creating domain-specific properties or storing domain-specific preferences in the database.
Each domain can have their own set of configuration values (e.g., inSPIRED, inSPIRED-inTRONICS, inSPIRED-inTRONICS_Business, inSPIRED-ResellerChannel).
So it can have one set of valid file extensions for one channel (e.g., inSPIRED-inTRONICS) and another set of extensions for another (e.g., inSPIRED-inTRONICS_Business).
Also see Cookbook - File Upload Validation | Recipe: How to Configure This Feature for My Channel. This is based on the capabilities of the Configuration Framework .
The back office UI file upload dialog displays the whitelisted file extensions and uses them to filter out files that do not match.
Depending on the configuration, it is also possible that all files are allowed and no file extension filter is present.
The file extension filter can be absent in the following cases:
The feature is disabled on purpose and all files are allowed.
The feature is enabled but the file extension whitelist cannot be found:
Either the whitelist cannot be read, which might be related to an issue in the ISML module isFileContentExtensions
, or
The whitelist is not configured and left empty by mistake.
If the whitelist of file extensions is left empty by mistake, the file upload dialog looks as if the feature is disabled.
In this case, the server validation will block any file from being uploaded.
Screenshot with valid configuration:
The feature is enabled with a proper file extension whitelist.
Screenshot with valid or invalid configuration:
The feature is disabled.
The feature is enabled with an empty (and therefore invalid) file extension whitelist.
ZIP archives are supported if the whitelist configuration includes the .zip extension.
When they are uploaded, the files they contain are automatically unzipped to the selected destination folder.
The validation of the ZIP archive depends on the configuration intershop.file.analyzer.upload.enable.mediatype.check
.
If the media type check is enabled:
A ZIP archive is validated by its file extension.
It is also checked whether the binary data of the ZIP archive matches the content of the ZIP archive.
Every file within the ZIP archive is checked as follows:
The file extension of each file is checked against the whitelist.
For each file, it is verified whether it contains matching data, e.g., for a file with .gif extension it is checked if its content matches .gif file data.
If one file inside the ZIP archive is not valid, the entire file is considered invalid and therefore rejected.
A ZIP archive inside a ZIP archive also results in the rejection of the entire file.
If the media type check is disabled:
A ZIP archive is only validated by its file extension against the whitelist.
The contained files are not analyzed:
No file extension check
No check of the content of the files inside the ZIP archive
The handling is similar to 7.10.39, but from 7.10.40.4, the file extensions within a ZIP archive are still checked, even if the media type check is disabled.
For information on the default settings, refer to Current Default Values and Explanation What Each Configuration Does.
The following sections show various locations in the back office where files can be uploaded.
This upload location can be found in the Image Management section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel).
Click path:
Log in to the organization back office (e.g., inSPIRED).
From the main menu, select Master Catalogs | Image Management.
This upload location can be found in the Product Image Upload and Product Attachment Upload section of an organization (e.g., inSPIRED) or the partner channel (e.g., inSPIRED-ResellerChannel)
Click path:
Log in to the organization back office (e.g., inSPIRED).
Use the management context selector in the upper right to switch to the channel (e.g., inSPIRED-ResellerChannel).
From the main menu, select (Master) Catalogs | Import & Export.
In the list of import and export options:
Under Product Image Upload, click the Manage product images link or the Upload button on the right.
Under Product Attachment Upload, click the Manage product attachments link or the Upload button on the right.
This upload location can be found in the Promotion Attachment Upload section in a consumer channel (e.g., inSPIRED-inTRONICS).
Click path:
Log in to the organization back office (e.g., inSPIRED).
Use the management context selector in the upper right to switch to the channel (e.g., inTRONICS).
From the main menu, select Marketing | Promotion Attachment Upload.
Click path:
Log in to Intershop Commerce Management.
Use the management context selector in the upper right to switch to the organization (e.g., inSPIRED).
From the main menu, select Master Content | Content Upload.
Click path:
Log in to the Intershop Commerce Management.
Use the management context selector in the upper right to select a channel as management context (e.g., inTRONICS).
From the main menu, select Content | Content Upload.
Click path:
Login to the organization back office (e.g., inSPIRED).
Select an application as management context (e.g., B2C - Responsive).
From the main menu, select Content | Content Upload.
These dialogs are available for the master content in the organization (e.g., inSPIRED), the content in the channel (e.g., inTRONICS), and in the application (e.g., B2C - Responsive).
They only differ in step 3 - Server Browser showing a different SFS folder for uploading new content.
This approach supports the upload of multiple files at the same time. If one file is invalid, all files will be rejected.
Click path:
Log in to the organization back office (e.g., inSPIRED).
Stay at organization level (e.g., inSPIRED) or use the management context selector in the top right corner to switch to:
The channel (e.g., inTRONICS)
The application (e.g., B2C - Responsive)
From the main menu, select:
For the organization Master Content | Master Components
For the channel and application Content | Components
Open the details of a component, for example, About Us.
Click Insert and follow these steps:
Choose Media or Image:
Click the Source icon:
Click the Upload button in the Server Browser:
Click Upload in the Upload dialog.
Before the introduction of file validation, there was a quick insert toolbar available. It was allowing for a fast insertion of images and of 2x2 tables on empty lines.
The quick image insert was bypassing file validation by directly adding the file Base64 encoded to the HTML, instead of uploading it to the SFS through the Server Browser. The configured file extensions were also ignored.
Therefore, this toolbar has been disabled by default. To enable this feature, see Cookbook - File Upload Validation | Recipe: How to Enable TinyMCE Quick Insert Toolbar (7.10.40.4).
The upload dialog contains the supported file extensions.
The All Files option is always available. If an invalid file is selected, the server-side check will still prevent the upload.
When you click the Upload button, the application server checks the file extensions and file contents.
If the file validation finds the file to be invalid, the following error message is displayed: