search

File Upload Restrictions

File upload capabilities in SPE can be restricted by file type and destination path. This provides defense in depth by preventing malicious file uploads even if the upload service is enabled.

hashtag
Overview

When the File Upload service is enabled, SPE enforces restrictions on:

  • File Types - Which file extensions and MIME types can be uploaded

  • Upload Locations - Which directories files can be written to

These restrictions apply to uploads via:

  • SPE Remoting file upload

  • Custom scripts using upload functionality

circle-info

This feature was introduced in SPE with #1362arrow-up-right

hashtag
Default Configuration

By default, SPE allows limited file types and restricts uploads to the Sitecore temp folder:

<powershell>
  <uploadFile>
    <allowedFileTypes>
      <pattern>image/*</pattern>
      <pattern>.xls</pattern>
      <pattern>.xlsx</pattern>
      <pattern>.csv</pattern>
    </allowedFileTypes>
    <allowedLocations>
      <path>$SitecoreMediaFolder</path>
    </allowedLocations>
  </uploadFile>
</powershell>

hashtag
File Type Restrictions

hashtag
How It Works

File types can be restricted using:

  1. File Extensions - Specific extensions like .csv, .txt, .xml

  2. MIME Type Patterns - Wildcards like image/*, text/*, application/json

hashtag
Configuration Examples

hashtag
Allow Specific Extensions

hashtag
Allow MIME Type Categories

hashtag
Allow Office Documents

hashtag
Common File Type Patterns

File Type
Extension Pattern
MIME Type Pattern

Images

.jpg, .png, .gif

image/*

Documents

.pdf, .doc, .docx

application/pdf, application/msword

Spreadsheets

.xls, .xlsx, .csv

application/vnd.ms-excel, text/csv

Text Files

.txt, .log

text/plain, text/*

Data Files

.json, .xml

application/json, application/xml

Archives

.zip

application/zip

triangle-exclamation

Security Warning: Be extremely careful allowing executable file types like .exe, .dll, .ps1, .bat, .cmd, .vbs, .js. These can be used to compromise the server.

hashtag
Upload Location Restrictions

hashtag
How It Works

SPE restricts where files can be uploaded using path patterns. These paths support Sitecore variables.

hashtag
Sitecore Path Variables

Variable
Resolves To
Typical Path

$SitecoreDataFolder

Data folder

C:\inetpub\wwwroot\App_Data

$SitecoreLogFolder

Log folder

C:\inetpub\wwwroot\App_Data\logs

$SitecorePackageFolder

Package folder

C:\inetpub\wwwroot\App_Data\packages

$SitecoreTempFolder

Temp folder

C:\inetpub\wwwroot\temp

$SitecoreMediaFolder

Media folder

C:\inetpub\wwwroot\upload

hashtag
Configuration Examples

hashtag
Allow Only Temp Folder (Most Secure)

circle-check

Recommended: Standardize your solution with a folder that you will routinely clean.

hashtag
Allow Multiple Locations

hashtag
Dangerous Locations to NEVER Allow

Never allow uploads to these locations:

hashtag
Complete Configuration Examples

hashtag
Secure Configuration (Data Import Use Case)

Allow CSV/Excel imports to a dedicated import folder:

hashtag
Best Practices

hashtag
Security Recommendations

Do:

  • Use the principle of least privilege - only allow necessary file types

  • Restrict uploads to non-web-accessible folders when possible

  • Use $SitecoreTempFolder as the primary upload location

  • Create dedicated subdirectories for different upload purposes

  • Regularly clean up uploaded files

  • Monitor upload activity

  • Use both extension AND MIME type patterns for defense in depth

  • Test your restrictions before deploying to production

Don't:

  • Allow executable file types (.exe, .dll, .ps1, etc.)

  • Allow uploads to the web root or bin folder

  • Allow uploads to system directories

  • Use wildcard MIME types like */* (allows everything)

  • Forget to restrict both file types AND locations

  • Allow script files that could be executed

  • Trust client-provided file extensions without validation

hashtag
Configuration Strategy

  1. Start Restrictive - Begin with minimal allowed types and locations

  2. Add as Needed - Only add permissions when you have a specific use case

  3. Document Reasons - Comment your configuration explaining why each type/location is allowed

  4. Regular Review - Audit allowed types and locations quarterly

hashtag
Troubleshooting

hashtag
Upload fails even though file type is allowed

Possible causes:

  1. Location is not in allowedLocations

  2. MIME type doesn't match pattern

  3. File extension doesn't match pattern

Solution: Check both file type and location configuration.

hashtag
MIME type wildcard doesn't work

Cause: Pattern syntax error or MIME type mismatch.

Solution: Use specific MIME types or verify wildcard syntax (image/*, not image*).

hashtag
Variable like $SitecoreTempFolder doesn't resolve

Cause: Variable not recognized by SPE configuration.

Solution: Use supported Sitecore variables or absolute paths.

hashtag
Related Topics

hashtag
References

PreviousWeb ServicesNextLogging and Monitoring

Last updated