Since the release of Internet Explorer 7, we have not been able to use blacklisting for extensions in email. This is because of Explorer's HTML sniffing behavior on unknown file types, which would have exposed us to cross-site scripting attacks. To work around this, we have implemented whitelisting for trusted file extensions that is flexible, yet safe enough to run in most configurations.
This article discusses the trusted file types and unsafe attachment types for email extensions in FogBugz and describes how to implement the whitelisting workaround.
- The old blacklisting behavior has been deprecated completely. If an attachment that is not from an email is attached by a logged-in FogBugz user with Normal or Admin status, it will not be marked as .unsafe.
- Any file coming from a Community or Public user, or from email, will be marked as .unsafe unless the file extension is whitelisted.
The default whitelisted extensions are:
- Archives: tar, gzip, gz, zip, bzip, rar
- Documents: doc, xls, ppt, docx, xlsx, xml, cty, pdf
- Text: csv, txt
- Images: jpg, jpeg, bmp, gif, png
Whitelisting is Case Sensitive.
Follow these steps to implement whitelisting:
- From the Main Menu, select Site Configuration.
- Select the Advanced tab.
- Add or remove the file extensions from the Trusted File Types field.
The current default value for Trusted File Types is as follows:
Once a file extension is whitelisted, the system will allow the downloading of files with that extension without appending .unsafe to the file.