Since the release of Internet Explorer 7, we have not able to use blacklisting for extensions in Email. This is because of Explorer's HTML sniffing behavior on unknown file types, which would have exposed us to cross-site scripting attacks. To work around this, we have implemented whitelisting for file extensions that is flexible yet safe enough to run in most configurations. To learn how this is enabled, follow the process below.
- The old blacklisting behavior was deprecated completely. If an attachment that's not from an email, was attached by a logged-in FogBugz user with Normal or Admin status, it will not be marked as .unsafe.
- Any file coming from a Community or Public user, or from Email, will be marked as .unsafe unless the file extension is whitelisted.
The default whitelisted extensions are:
- Archives: tar, gzip, gz, zip, bzip, rar
- Documents: doc, xls, ppt, docx, xlsx, xml, cty, pdf
- Text: csv, txt
- Images: jpg, jpeg, bmp, gif, png
- From the Main Menu, select Site Configuration.
- Select the Advanced Tab.
- Add or remove the file extensions from the Trusted File Types field.
Note: FogBugz will append .unsafe to any attachment from an email or public bug submission that does not end with one of the whitelisted extensions.
Once a file extension is whitelisted, the system will allow downloading files with such extension without appending .unsafe to the file.