CKSource Docs - User contributions [en]

CKFinder 2.x/Developers Guide/Java/Configuration/Resource Types/Built-in

2019-09-04T08:46:59Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=config.xml}}
<source lang="xml">
<types>
<type name="Flash">
<url>%BASE_URL%flash/</url>
<directory>%BASE_DIR%flash</directory>
<maxSize>0</maxSize>
<allowedExtensions>swf,flv</allowedExtensions>
<deniedExtensions></deniedExtensions>
</type>
<type name="Files">
<url>%BASE_URL%files/</url>
<directory>%BASE_DIR%files</directory>
<maxSize>0</maxSize>
<allowedExtensions>7z,aiff,asf,avi,bmp,csv,doc,docx,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,
ods,odt,pdf,png,ppt,pptx,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,
wmv,xls,xlsx,zip</allowedExtensions>
<deniedExtensions></deniedExtensions>
</type>
<type name="Images">
<url>%BASE_URL%images/</url>
<directory>%BASE_DIR%images</directory>
<maxSize>0</maxSize>
<allowedExtensions>bmp,gif,jpeg,jpg,png</allowedExtensions>
<deniedExtensions></deniedExtensions>
</type>
</types>
</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}
{{Ckfinder_2.x_Built-in_Resource_Types_Options|example=<source lang="xml"><maxSize>8M</maxSize></source>|link=CKFinder_2.x/Developers_Guide/Java/Configuration/Quick_Start}}

CKFinder 2.x/Developers Guide/ColdFusion/Configuration/Resource Types/Built-in

2019-09-04T08:46:25Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=config.cfm}}
<source lang="cfm">config.resourceType[1] = structNew();
config.resourceType[1].name = 'Files';
config.resourceType[1].url = config.baseUrl & 'files';
config.resourceType[1].directory = config.baseDir & 'files';
config.resourceType[1].maxSize = 0;
config.resourceType[1].allowedExtensions = '7z,aiff,asf,avi,bmp,csv,doc,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,
mpg,ods,odt,pdf,png,ppt,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xml,zip';
config.resourceType[1].deniedExtensions = '';

config.resourceType[2] = structNew();
config.resourceType[2].name = 'Images';
config.resourceType[2].url = config.baseUrl & 'images';
config.resourceType[2].directory = config.baseDir & 'images';
config.resourceType[2].maxSize = 0;
config.resourceType[2].allowedExtensions = 'bmp,gif,jpeg,jpg,png';
config.resourceType[2].deniedExtensions = '';

config.resourceType[3] = structNew();
config.resourceType[3].name = 'Flash';
config.resourceType[3].url = config.baseUrl & 'flash';
config.resourceType[3].directory = config.baseDir & 'flash';
config.resourceType[3].maxSize = 0;
config.resourceType[3].allowedExtensions = 'swf,flv';
config.resourceType[3].deniedExtensions = '';
</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}
These resources will be enabled by default if this option:
<source lang="cfm">config.defaultResourceTypes = '';</source>
is left empty. You may specify which resource types you want to use by placing their names separated by a comma.

{{Ckfinder_2.x_Built-in_Resource_Types_Options|example=<source lang="cfm">'maxSize' = "8M",</source>|link=CKFinder_2.x/Developers_Guide/ColdFusion/Configuration/Quick_Start}}

CKFinder 2.x/Developers Guide/ASP.NET/Configuration/Resource Types/Built-in

2019-09-04T08:45:41Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=configuration}}
<source lang="asp">ResourceType type;

type = ResourceType.Add( "Files" );
type.Url = BaseUrl + "files/";
type.Dir = BaseDir == "" ? "" : BaseDir + "files/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "7z", "aiff", "asf", "avi", "bmp", "csv", "doc", "fla", "flv", "gif", "gz", "gzip",
"jpeg", "jpg", "mid", "mov", "mp3", "mp4", "mpc", "mpeg", "mpg", "ods", "odt", "pdf", "png", "ppt", "qt", "ram", "rar",
"rm", "rmi", "rmvb", "rtf", "sdc", "swf", "sxc", "sxw", "tar", "tgz", "tif", "tiff", "txt", "vsd", "wav", "wma", "wmv",
"xls", "zip" };
type.DeniedExtensions = new string[] { };

type = ResourceType.Add( "Images" );
type.Url = BaseUrl + "images/";
type.Dir = BaseDir == "" ? "" : BaseDir + "images/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "bmp", "gif", "jpeg", "jpg", "png" };
type.DeniedExtensions = new string[] { };

type = ResourceType.Add( "Flash" );
type.Url = BaseUrl + "flash/";
type.Dir = BaseDir == "" ? "" : BaseDir + "flash/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "swf", "flv" };
type.DeniedExtensions = new string[] { };
</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}
== Defining DefaultResourceTypes ==

When opening CKFinder, you may specify which Resource Type to make visible by appending '''?type=<TypeName>''' to the CKFinder URL. If instead the type is not passed in the URL, the DefaultResourceTypes setting will be used to identify which Resource Types to load. If blank, all Resource Types will be displayed. For example:

<source lang="asp">
// Show all Resource Types:
DefaultResourceTypes = "";

// Show the "Images" and "Files" Resource Types only (separated by comma):
DefaultResourceTypes = "Images,Files";
</source>

== Resource Type Options ==

For each resource type you may set several options to precisely configure its behavior.

=== Url and Dir ===

Define the base URL address and the server directory to use to handle and publish the files for this Resource Type. They follow the same rules as defined in the [[CKFinder_2.x/Developers Guide/ASP.NET/Configuration/Quick Start#Base URL and Directory|Quick Start]] section for the '''BaseUrl''' and '''BaseDir''' settings.

=== MaxSize ===

It's the maximum size allowed for uploaded file defined in Bytes.

=== AllowedExtensions and DeniedExtensions ===

You can use this settings to list the file extensions that can be upload to the server.

* '''AllowedExtensions''' - the extensions you wish CKFinder to use. If left empty, only DeniedExtensions is used to check uploads. <code>NO_EXT</code> value can be used for files without extension.
* '''DeniedExtensions''' - the extensions you don't wish the CKFinder to use. <code>NO_EXT</code> value can be used for files without extension.

'''Important: It is recommended''' to always use the AllowedExtensions setting, in favor of DeniedExtensions. If you leave '''AllowedExtensions''' empty and you define an extension in '''DeniedExtensions''', for example "pdf", it will allow the upload of all the other files except the files with the "pdf" extension. However it isn't a good way to secure your server from unwanted uploads. The best way is to put all of the preferred extensions in '''AllowedExtensions'''. That's the only way to effectively secure your server from hacker's attacks.

CKFinder 2.x/Developers Guide/ASP.NET/Configuration/Resource Types/Built-in

2019-09-04T08:45:09Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=configuration}}
<source lang="asp">ResourceType type;

type = ResourceType.Add( "Files" );
type.Url = BaseUrl + "files/";
type.Dir = BaseDir == "" ? "" : BaseDir + "files/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "7z", "aiff", "asf", "avi", "bmp", "csv", "doc", "fla", "flv", "gif", "gz", "gzip",
"jpeg", "jpg", "mid", "mov", "mp3", "mp4", "mpc", "mpeg", "mpg", "ods", "odt", "pdf", "png", "ppt", "qt", "ram", "rar",
"rm", "rmi", "rmvb", "rtf", "sdc", "swf", "sxc", "sxw", "tar", "tgz", "tif", "tiff", "txt", "vsd", "wav", "wma", "wmv",
"xls", "zip" };
type.DeniedExtensions = new string[] { };

type = ResourceType.Add( "Images" );
type.Url = BaseUrl + "images/";
type.Dir = BaseDir == "" ? "" : BaseDir + "images/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "bmp", "gif", "jpeg", "jpg", "png" };
type.DeniedExtensions = new string[] { };

type = ResourceType.Add( "Flash" );
type.Url = BaseUrl + "flash/";
type.Dir = BaseDir == "" ? "" : BaseDir + "flash/";
type.MaxSize = 0;
type.AllowedExtensions = new string[] { "swf", "flv" };
type.DeniedExtensions = new string[] { };
</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}
== Defining DefaultResourceTypes ==

When opening CKFinder, you may specify which Resource Type to make visible by appending '''?type=<TypeName>''' to the CKFinder URL. If instead the type is not passed in the URL, the DefaultResourceTypes setting will be used to identify which Resource Types to load. If blank, all Resource Types will be displayed. For example:

<source lang="asp">
// Show all Resource Types:
DefaultResourceTypes = "";

// Show the "Images" and "Files" Resource Types only (separated by comma):
DefaultResourceTypes = "Images,Files";
</source>

== Resource Type Options ==

For each resource type you may set several options to precisely configure its behavior.

=== Url and Dir ===

Define the base URL address and the server directory to use to handle and publish the files for this Resource Type. They follow the same rules as defined in the [[CKFinder_2.x/Developers Guide/ASP.NET/Configuration/Quick Start#Base URL and Directory|Quick Start]] section for the '''BaseUrl''' and '''BaseDir''' settings.

=== MaxSize ===

It's the maximum size allowed for uploaded file defined in Bytes.

=== AllowedExtensions and DeniedExtensions ===

You can use this settings to list the file extensions that can be upload to the server.

* '''AllowedExtensions''' - the extensions you wish CKFinder to use. If left empty, only DeniedExtensions is used to check uploads.
* '''DeniedExtensions''' - the extensions you don't wish the CKFinder to use.

'''Important: It is recommended''' to always use the AllowedExtensions setting, in favor of DeniedExtensions. If you leave '''AllowedExtensions''' empty and you define an extension in '''DeniedExtensions''', for example "pdf", it will allow the upload of all the other files except the files with the "pdf" extension. However it isn't a good way to secure your server from unwanted uploads. The best way is to put all of the preferred extensions in '''AllowedExtensions'''. That's the only way to effectively secure your server from hacker's attacks.

CKFinder 2.x/Developers Guide/ASP/Configuration/Resource Types/Built-in

2019-09-04T08:44:33Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=configuration}}
<source lang="asp">Set ResourceTypes(0) = DefineResourceType( _
"Files", _
baseUrl & "files", _
baseDir & "files", _
0, _
"7z,aiff,asf,avi,bmp,csv,doc,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,ppt,qt,ram,rar,rm,
rmi,rmvb,rtf,sdc,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xml,zip", _
"" _
)

Set ResourceTypes(1) = DefineResourceType( _
"Images", _
baseUrl & "images", _
baseDir & "images", _
0, _
"bmp,gif,jpeg,jpg,png", _
"" _
)

Set ResourceTypes(2) = DefineResourceType( _
"Flash", _
baseUrl & "flash", _
baseDir & "flash", _
0, _
"swf,flv", _
"" _
)</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}

The above syntax reffers to functions written below in the following order:
<source lang="asp">ResourceType.Add "name", name
ResourceType.Add "url", url
ResourceType.Add "directory", directory
ResourceType.Add "maxSize", maxSize
ResourceType.Add "allowedExtensions", allowedExtensions
ResourceType.Add "deniedExtensions", deniedExtensions
</source>

These resources will be enabled by default if this option:
<source lang="asp">CKFinder_Config.Add "DefaultResourceTypes", ""</source>
is left empty. You may specify which resource types you want to use by placing their names separated by a comma.

{{Ckfinder_2.x_Built-in_Resource_Types_Options|link=CKFinder_2.x/Developers_Guide/ASP/Configuration/Quick_Start}}

Template:Ckfinder 2.x Built-in Resource Types Options

2019-09-04T08:43:38Z

P.Wiaderny:

== Resource Type Options ==
For each resource type you may set several options to configure its behavior.

* <code>url</code> and <code>directory</code> – define the base URL address and the server directory used to handle and publish the files for this resource type. They follow the same rules as defined in the [[{{{link}}}|Quick Start]] section for the <code>baseUrl</code> and <code>baseDir</code> settings.

* <code>maxSize</code> – is the maximum size of the uploaded image defined in bytes. You may also use shorthand notation. Available options are: <code>G</code>, <code>M</code>, <code>K</code> (case insensitive). Remember that <code>1M</code> equals 1048576 bytes (one Megabyte), <code>1K</code> equals 1024 bytes (one Kilobyte), <code>1G</code> equals 1 Gigabyte.
*; Example: {{{example}}}

You can use the following settings to list the file extensions that can be upload to the server:
* <code>allowedExtensions</code> – the file extensions you wish to be allowed for upload with CKFinder. If left empty, only <code>deniedExtensions</code> is used to check uploads. <code>NO_EXT</code> value can be used for files without extension.
* <code>deniedExtensions</code> – the file extensions you do not wish to be uploaded with CKFinder. <code>NO_EXT</code> value can be used for files without extension.

<note>Important: It is '''recommended''' to always use the <code>allowedExtensions</code> setting, in favor of <code>deniedExtensions</code>. If you leave <code>allowedExtensions</code> empty and you add an extension to the <code>deniedExtensions</code> list, for example <code>pdf</code>, the settings will allow the upload of all other files except the files with the <code>pdf</code> extension. This approach is not a good way to secure your server from unwanted uploads. The best way is to put all of the preferred extensions in the <code>allowedExtensions</code> list. This is the only way to effectively secure your server from hacker attacks.</note>

CKFinder 2.x/Developers Guide/PHP/Configuration/Resource Types/Built-in

2019-09-04T08:41:40Z

P.Wiaderny:

{{Ckfinder_2.x_Built-in_Resource_Types_Description|file=config.php}}

<source lang="php">
$config['ResourceType'][] = Array(
'name' => 'Files', // Single quotes not allowed
'url' => $baseUrl . 'files',
'directory' => $baseDir . 'files',
'maxSize' => 0,
'allowedExtensions' => '7z,aiff,asf,avi,bmp,csv,doc,fla,flv,gif,gz,gzip,jpeg,jpg,mid,mov,mp3,mp4,mpc,mpeg,mpg,ods,odt,pdf,png,
ppt,qt,ram,rar,rm,rmi,rmvb,rtf,sdc,swf,sxc,sxw,tar,tgz,tif,tiff,txt,vsd,wav,wma,wmv,xls,xml,zip',
'deniedExtensions' => '');

$config['ResourceType'][] = Array(
'name' => 'Images',
'url' => $baseUrl . 'images',
'directory' => $baseDir . 'images',
'maxSize' => 0,
'allowedExtensions' => 'bmp,gif,jpeg,jpg,png',
'deniedExtensions' => '');

$config['ResourceType'][] = Array(
'name' => 'Flash',
'url' => $baseUrl . 'flash',
'directory' => $baseDir . 'flash',
'maxSize' => 0,
'allowedExtensions' => 'swf,flv',
'deniedExtensions' => '');</source>
{{Ckfinder_2.x_Built-in_Resource_Types_Notes}}
These resources will be enabled by default if this option:
<source lang="php">$config['DefaultResourceTypes'] = '';</source>
is left empty. You may specify which resource types you want to use by placing their names separated by a comma.

{{Ckfinder_2.x_Built-in_Resource_Types_Options|example=<source lang="php">'maxSize' => "8M",</source>|link=CKFinder_2.x/Developers_Guide/PHP/Configuration/Quick_Start}}

CKFinder 2.x/Developers Guide/Java/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T11:12:01Z

P.Wiaderny:

{{Ckfinder_2.x Securing a Publicly Accessible Folder}}

The simplest way to add the <code>X-Content-Type-Options</code> header to all the responses is by creating a servlet filter, like presented on the code listing below.

<source lang="java">
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ContentOptionsFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
((HttpServletResponse) response).setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(request, response);
}

@Override
public void destroy() {}
}
</source>

CKFinder 2.x/Developers Guide/Java/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T11:11:34Z

P.Wiaderny:

{{Ckfinder_2.x Securing a Publicly Accessible Folder}}

The simplest way to add the `X-Content-Type-Options` header to all the responses is by creating a servlet filter, like presented on the code listing below.

<source lang="java">
import javax.servlet.*;
import javax.servlet.http.HttpServletResponse;
import java.io.IOException;

public class ContentOptionsFilter implements Filter {
@Override
public void init(FilterConfig filterConfig) {
}

@Override
public void doFilter(ServletRequest request, ServletResponse response, FilterChain chain) throws IOException, ServletException {
((HttpServletResponse) response).setHeader("X-Content-Type-Options", "nosniff");
chain.doFilter(request, response);
}

@Override
public void destroy() {}
}
</source>

CKFinder 2.x/Developers Guide/Java/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:59:21Z

P.Wiaderny: Created page with "{{Ckfinder_2.x Securing a Publicly Accessible Folder}}"

CKFinder 2.x/Developers Guide/Java/Configuration

2019-08-21T10:59:05Z

P.Wiaderny:

== Server Side Configuration ==
CKFinder configuration in Java is based on editing the '''<code>config.xml</code>''' file. To learn more refer to the following sections:

* [[/Quick Start|Quick Start]]
** [[/baseURL and baseDir|baseURL and baseDir Explained]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]
* [[/URI Encoding|URI Encoding]]
* [[/Hiding Folders and Files|Hiding Specific Folders and Files]]
* [[/Extending|Extending Configuration]]

{{CKFinder_2.x JavaScript Configuration|language=Java}}

CKFinder 2.x/Developers Guide/ColdFusion/Configuration/Security

2019-08-21T10:57:37Z

P.Wiaderny:

Due to improve security issues on your server please follow the information written in sections below:

* [[CKFinder_2.x/Developers Guide/ColdFusion/Configuration/Security/Double file extensions|Double file extensions]]
* [[CKFinder_2.x/Developers Guide/ColdFusion/Configuration/Security/Image uploads|Image Uploads]]
* [[CKFinder_2.x/Developers Guide/ColdFusion/Configuration/Security/Html extensions|Html extensions]]
* [[CKFinder_2.x/Developers Guide/ColdFusion/Configuration/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

CKFinder 2.x/Developers Guide/ColdFusion/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:56:44Z

P.Wiaderny: Created page with "{{Ckfinder_2.x Securing a Publicly Accessible Folder}}"

CKFinder 2.x/Developers Guide/ColdFusion/Configuration

2019-08-21T10:56:28Z

P.Wiaderny:

== Server Side Configuration ==

CKFinder configuration in ColdFusion is based on editing the '''config.cfm''' file. To learn more go throughout the following sections:

* [[/Quick Start|Quick Start]]
* [[/Sessions|Sessions]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

{{CKFinder_2.x JavaScript Configuration|language=PHP}}

CKFinder 2.x/Developers Guide/ASP.NET/Configuration/Security

2019-08-21T10:55:51Z

P.Wiaderny:

Due to improve security issues on your server please follow the information written in sections below:

* [[/Double file extensions|Double file extensions]]
* [[/Image uploads|Image Uploads]]
* [[/Html extensions|Html extensions]]
* [[/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

CKFinder 2.x/Developers Guide/ASP.NET/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:55:08Z

P.Wiaderny: Created page with "{{Ckfinder_2.x Securing a Publicly Accessible Folder}} '''Microsoft IIS''' For Microsoft IIS servers, you can enable the <code>X-Content-Type-Options</code> header in your..."

{{Ckfinder_2.x Securing a Publicly Accessible Folder}}

'''Microsoft IIS'''

For Microsoft IIS servers, you can enable the <code>X-Content-Type-Options</code> header in your <code>web.config</code> file:

<source lang="xml">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</source>

CKFinder 2.x/Developers Guide/ASP.NET/Configuration

2019-08-21T10:54:40Z

P.Wiaderny:

== Server Side Configuration ==
All configurations for CKFinder for ASP.NET can be found in the '''config.ascx''' file. To learn more go throughout the following sections:

* [[/Quick Start|Quick Start]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

{{CKFinder_2.x JavaScript Configuration|language=ASP.NET}}

CKFinder 2.x/Developers Guide/ASP/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:53:55Z

CKFinder 2.x/Developers Guide/ASP/Configuration

2019-08-21T10:52:41Z

P.Wiaderny:

== Server Side Configuration ==

CKFinder configuration in the ASP language is based on editing the '''config.asp''' file. To learn more go throughout the following sections:

* [[/Quick Start|Quick Start]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

{{CKFinder_2.x JavaScript Configuration|language=ASP}}

Template:Ckfinder 2.x Securing a Publicly Accessible Folder

2019-08-21T10:51:12Z

P.Wiaderny: Created page with "When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to ma..."

CKFinder 2.x/Developers Guide/PHP/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:50:51Z

P.Wiaderny:

{{Ckfinder_2.x Securing a Publicly Accessible Folder}}

'''Apache'''

If you use the Apache web server, you can add custom HTTP response headers using [https://httpd.apache.org/docs/current/mod/mod_headers.html mod_headers]. Make sure the <code>mod_headers</code> module is enabled, and create (or modify) the following <code>.htaccess</code> file in the root of the publicly accessible folder (for example <code>userfiles/.htaccess</code>):

<source lang="bash">
Header set X-Content-Type-Options "nosniff"
</source>

'''Nginx'''

If you use Nginx, custom HTTP response headers can be defined per location:

<source lang="bash">
location /userfiles {
add_header X-Content-Type-Options nosniff;
}
</source>

'''Microsoft IIS'''

For Microsoft IIS servers, you can enable the <code>X-Content-Type-Options</code> header in your <code>web.config</code> file:

<source lang="xml">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</source>

Template:Ckfinder 2.x Security

2019-08-21T10:42:37Z

P.Wiaderny:

In order to improve the security of your server we recommend you follow the information presented in the sections below:

* [[/Double file extensions|Double file extensions]]
* [[/Image uploads|Image uploads]]
* [[/Html extensions|HTML extensions]]
* [[/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]

Template:Ckfinder 2.x html extension Description

2019-08-21T10:39:41Z

P.Wiaderny:

{{#CUSTOMTITLE:Declaring HTML Extensions}}
Sometimes when you are uploading a file it may contain HTML code in the first kilobytes of its data. CKFinder will upload the file with the HTML code only when the file extension is added to the following configuration setting: 
{{{code}}}

If you, for example, want to upload an <code>.xsl</code> file that contains HTML code at the beginning of the file, you should add this file extension to the list.
{{{code2}}}

Please note that this feature performs only a very basic set of checks to detect HTML-like data in the first 1kB of the file contents to protect users e.g. against unintentional uploading of files with HTML content and with a wrong extension. <br>

Template:Ckfinder 2.x html extension Description

2019-08-21T10:38:48Z

P.Wiaderny:

CKFinder 2.x/Developers Guide/PHP/Configuration

2019-08-21T10:31:37Z

P.Wiaderny:

== Server Side Configuration ==
CKFinder configuration in the PHP language is based on editing the '''config.php''' file. To learn more go throughout the following sections:

* [[/Quick Start|Quick Start]]
* [[/Sessions|Sessions]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]
* [[/File system Encoding|File System Encoding]]

{{CKFinder_2.x JavaScript Configuration|language=PHP}}

CKFinder 2.x/Developers Guide/PHP/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:23:20Z

P.Wiaderny:

When integrating CKFinder, you will often want to give users access to uploaded files, so they can insert images or links to files into the edited content. This requires to make the folder publicly accessible, so all the files are served through the web server. If you rely on your web server to serve the files uploaded with CKFinder, you should take additional steps to make sure the files are served in a secure way.

Let us assume that you have configured your CKFinder to allow uploading of avi files. Even if the avi file is then served with a valid Content-Type: <code>video/x-msvideo</code> header, some browsers may ignore this information and perform additional checks on the raw file contents. If any HTML-like data is detected in the file content, the browser may decide to ignore information about the content type and handle the served content as if it was a regular web page. This behavior is called [https://en.wikipedia.org/wiki/Content_sniffing content sniffing] (also known as ''media type sniffing'' or ''MIME sniffing''), and in some circumstances, it may lead to security issues (for example, it may open door for XSS attacks)).

To avoid content sniffing, you should make sure that your server adds the <code>X-Content-Type-Options: nosniff</code> header to all HTTP responses when serving files from the publicly available folder. The <code>X-Content-Type-Options</code> response HTTP header is a marker used by the server to indicate that the MIME type set by the <code>Content-Type</code> header should not be changed and should be followed. As a result, the browser does not perform any content sniffing on the received content.

'''Apache'''

If you use the Apache web server, you can add custom HTTP response headers using [https://httpd.apache.org/docs/current/mod/mod_headers.html mod_headers]. Make sure the <code>mod_headers</code> module is enabled, and create (or modify) the following <code>.htaccess</code> file in the root of the publicly accessible folder (for example <code>userfiles/.htaccess</code>):

<source lang="bash">
Header set X-Content-Type-Options "nosniff"
</source>

'''Nginx'''

If you use Nginx, custom HTTP response headers can be defined per location:

<source lang="bash">
location /userfiles {
add_header X-Content-Type-Options nosniff;
}
</source>

'''Microsoft IIS'''

For Microsoft IIS servers, you can enable the <code>X-Content-Type-Options</code> header in your <code>web.config</code> file:

<source lang="xml">
<system.webServer>
<httpProtocol>
<customHeaders>
<remove name="X-Content-Type-Options"/>
<add name="X-Content-Type-Options" value="nosniff"/>
</customHeaders>
</httpProtocol>
</system.webServer>
</source>

CKFinder 2.x/Developers Guide/PHP/Configuration/Security/Securing a Publicly Accessible Folder

2019-08-21T10:22:42Z

CKFinder 2.x/Developers Guide/PHP/Configuration

2019-08-21T10:08:32Z

P.Wiaderny:

== Server Side Configuration ==
CKFinder configuration in the PHP language is based on editing the '''config.php''' file. To learn more go throughout the following sections:

* [[/Quick Start|Quick Start]]
* [[/Sessions|Sessions]]
* [[/Access Control|Access Control]]
* [[/Images|Images]]
* [[/Resource Types|Resource Types]]
** [[/Resource Types/Built-in|Built-in Resource Types]]
** [[/Resource Types/New|Adding New Resource Types]]
* [[/Security|Security]]
** [[/Security/Double file extensions|Double File Extensions]]
** [[/Security/Image uploads|Image Uploads]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Html extensions|HTML Extensions]]
** [[/Security/Securing a Publicly Accessible Folder|Securing a Publicly Accessible Folder]]
* [[/File system Encoding|File System Encoding]]

{{CKFinder_2.x JavaScript Configuration|language=PHP}}