This is documentation about a configuration directive, which can be placed within Movable Type’s core configuration file,
mt-config.cgi, to customize the behavior of the system.
This directive is available in Movable Type 5.11, 5.051, 4.361 and later.
DeniedAssetFileExtensions is the blacklist. Files are most typically blacklisted for security concerns. For example, a file with an extensions of “php” may include some harmful or malicious code (perhaps using
unlink to delete files). If you wish to upload one of these blacklisted files, you must specify your own list by removing the file extensions which you wish to upload.
AssetFileExtensions is the white-list. The default value is set to null. When this configuration directive is specified, Movable Type will accept only files with the specified extensions as uploads. For example, the following list allows users to upload only images and movies: “gif, jpg, jpeg, png, bmp, tif, tiff, mp3, ogg, aiff, wav, wma, aac, flac, m4a, mov, avi, 3gp, asf, mp4, qt, wmv, asx, mpg, flv, mkv, ogm.”
When the same file extension is set in DeniedAssetFileExtensions and in AssetFileExtension together, DeniedAssetFileExtension will override AssetFileExtensions, thus a user cannot upload files with the extension.
Many file types are denied by default:
ascx, asis, asp, aspx, bat, cfc, cfm, cgi, cmd, com, cpl, dll, exe, htaccess, htm, html, inc, jhtml, js, jsb, jsp, mht, mhtml, msi, php, php2, php3, php4, php5, phps, phtm, phtml, pif, pl, pwml, py, reg, scr, sh, shtm, shtml, vbs, vxd, pm, so, rb, htc
Files with these extensions will not be allowed as uploads.
Disallow Word and Powerpoint files from being uploaded:
DeniedAssetFileExtensions doc, ppt