Product Add-ons Limit Upload Size & Only Allow Certain Filetype Extensions
With the Product Add-ons extension there is an extreme security flaw not being able to specify what filetype extensions to be allowed as uploads. Also setting up a max upload size would be beneficial. Currently its default upload size is whatever is specified in the php.ini. So if someone is unable to change that or needs it to to have a 100mb upload limit for personal uploads, then the customers or hackers can flood your server with large files as well as any filetype they want!
This should be a high priority as it is a very popular extension!
We’ve explored this further and have determined that the features requested here are already present within WordPress.
Enabling large file uploads is best done at the server level, as mentioned in the original ideas post.
File type restrictions are handled by WordPress natively. Files uploaded through WooCommerce Product Addons are handled using the wp_handle_upload() function, which checks that the file type is one of the supported file types within WordPress. File type support can be customised via WordPress filters.
Thanks and regards,
Woo Product Lead at Automattic
More than a year and you guys did little to nothing about it. ridiculous. Being that you charge for a license and support every year, you should be on top of this.
Hi everybody, is there any update about this issue?
It seems it has been not yet fixed notwithstanding it's a very delicate flaw!
Kindly let me know,
I just tried to upload a php file to my system and was prevented. Seems this request should be closed?
Tom Burton commented
I agree completely, these are essential components of an file upload field. Using an uploader widget instead of a basic file upload field would be another worthwhile improvement, along with Admin options to resize images upon upload.
Here is a picture example http://support.woothemes.com/attachments/token/JMn8FxTmxUfV5hPepvWqkJ5b1/?name=example1.JPG
This image shows what it looks like currently but needs to change! Even if it's just the CSS to change it to make it look like you can't upload certain types and size then that would be better than nothing.