Product Add-ons Limit Upload Size & Only Allow Certain Filetype Extensions
With the Product Add-ons extension there is an extreme security flaw not being able to specify what filetype extensions to be allowed as uploads. Also setting up a max upload size would be beneficial. Currently its default upload size is whatever is specified in the php.ini. So if someone is unable to change that or needs it to to have a 100mb upload limit for personal uploads, then the customers or hackers can flood your server with large files as well as any filetype they want!
This should be a high priority as it is a very popular extension!
We’ve explored this further and have determined that the features requested here are already present within WordPress.
Enabling large file uploads is best done at the server level, as mentioned in the original ideas post.
File type restrictions are handled by WordPress natively. Files uploaded through WooCommerce Product Addons are handled using the wp_handle_upload() function, which checks that the file type is one of the supported file types within WordPress. File type support can be customised via WordPress filters.
Thanks and regards,
Woo Product Lead at Automattic
Yeah, this 2015 decision doesn’t really work for us in 2019. So here’s the deal, we have default WP’s file sizes increased to be able to upload large mp4s & pdfs, and we have activated certain files like .svgs for use in our webpages (now pretty common), things we can’t just turn off to limit file size & type for uploads on the frontend. The ability for users to upload .svgs files though this plugin with potentially malicious code creates a big security flaw for us in our platforms. When cheap 1-time purchased Envato plugins have the ability to set file upload size & type, so can this $50 subscription extension. Af far as I am concerned, although it's triple the cost, switching to Gravity forms just to be able to limit the security ricks fo this plugin are worth it. As a someone who has 11 months of paid support I’d like this suggestion re-opened please? Thank you.
Ashraf Slamang commented
This is poor Matt. The admin will have to live by the same restrictions as a regular user.
Rich S commented
Still not able to cap max upload size?
More than a year and you guys did little to nothing about it. ridiculous. Being that you charge for a license and support every year, you should be on top of this.
Hi everybody, is there any update about this issue?
It seems it has been not yet fixed notwithstanding it's a very delicate flaw!
Kindly let me know,
I just tried to upload a php file to my system and was prevented. Seems this request should be closed?
Tom Burton commented
I agree completely, these are essential components of an file upload field. Using an uploader widget instead of a basic file upload field would be another worthwhile improvement, along with Admin options to resize images upon upload.
Here is a picture example http://support.woothemes.com/attachments/token/JMn8FxTmxUfV5hPepvWqkJ5b1/?name=example1.JPG
This image shows what it looks like currently but needs to change! Even if it's just the CSS to change it to make it look like you can't upload certain types and size then that would be better than nothing.