File Upload Restrictions

File upload capabilities in SPE can be restricted by file type and destination path. This provides defense in depth by preventing malicious file uploads even if the upload service is enabled.

Overview

When the File Upload service is enabled, SPE enforces restrictions on:

• File Types - Which file extensions and MIME types can be uploaded

• Upload Locations - Which directories files can be written to

These restrictions apply to uploads via:

• SPE Remoting file upload

• Custom scripts using upload functionality

Default Configuration

By default, SPE allows limited file types and restricts uploads to the Sitecore temp folder:

<powershell>
  <uploadFile>
    <allowedFileTypes>
      <pattern>image/*</pattern>
      <pattern>.xls</pattern>
      <pattern>.xlsx</pattern>
      <pattern>.csv</pattern>
    </allowedFileTypes>
    <allowedLocations>
      <path>$SitecoreMediaFolder</path>
    </allowedLocations>
  </uploadFile>
</powershell>

File Type Restrictions

How It Works

File types can be restricted using:

1. File Extensions - Specific extensions like .csv, .txt, .xml

2. MIME Type Patterns - Wildcards like image/*, text/*, application/json

Configuration Examples

Allow Specific Extensions

Allow MIME Type Categories

Allow Office Documents

Common File Type Patterns

Upload Location Restrictions

How It Works

SPE restricts where files can be uploaded using path patterns. These paths support Sitecore variables.

Sitecore Path Variables

Configuration Examples

Allow Only Temp Folder (Most Secure)

Allow Multiple Locations

Dangerous Locations to NEVER Allow

❌ Never allow uploads to these locations:

Complete Configuration Examples

Secure Configuration (Data Import Use Case)

Allow CSV/Excel imports to a dedicated import folder:

Best Practices

Security Recommendations

✅ Do:

• Use the principle of least privilege - only allow necessary file types

• Restrict uploads to non-web-accessible folders when possible

• Use $SitecoreTempFolder as the primary upload location

• Create dedicated subdirectories for different upload purposes

• Regularly clean up uploaded files

• Monitor upload activity

• Use both extension AND MIME type patterns for defense in depth

• Test your restrictions before deploying to production

❌ Don't:

• Allow executable file types (.exe, .dll, .ps1, etc.)

• Allow uploads to the web root or bin folder

• Allow uploads to system directories

• Use wildcard MIME types like */* (allows everything)

• Forget to restrict both file types AND locations

• Allow script files that could be executed

• Trust client-provided file extensions without validation

Configuration Strategy

1. Start Restrictive - Begin with minimal allowed types and locations

2. Add as Needed - Only add permissions when you have a specific use case

3. Document Reasons - Comment your configuration explaining why each type/location is allowed

4. Regular Review - Audit allowed types and locations quarterly

Troubleshooting

Upload fails even though file type is allowed

Possible causes:

1. Location is not in allowedLocations

2. MIME type doesn't match pattern

3. File extension doesn't match pattern

Solution: Check both file type and location configuration.

MIME type wildcard doesn't work

Cause: Pattern syntax error or MIME type mismatch.

Solution: Use specific MIME types or verify wildcard syntax (image/*, not image*).

Variable like $SitecoreTempFolder doesn't resolve

Cause: Variable not recognized by SPE configuration.

Solution: Use supported Sitecore variables or absolute paths.

Related Topics

• Web Services Security - Enable/disable file upload service

• Security Checklist - Validate your configuration

• Logging and Monitoring - Monitor upload activity

References

• GitHub Issue #1362 - Feature introduction