Page tree
Skip to end of metadata
Go to start of metadata

You can prevent specific file extensions from being uploaded in FileCloud 10.0 and later.

Existing files cannot be renamed to use a restricted file extension in FileCloud 17.3 and later.

You can create a list of only the file extensions you want to allow to be uploaded in FileCloud 19.1 and later.

Prior to FileCloud Version 21.2, Disallowed File Extensions listed php and php5 by default; from Version 21.2 on, it lists php, php5, phar, and phtml. If you are using a version of FileCloud earlier than 21.2, you are advised to add phar and phtml to the Disallowed File list. See Advisory 2021-09 Upload of Potentially Unsafe File Types for more information.


For security reasons you may want to create a set of rules for the working environment where many users have access to a central resource, such as files and folders in FileCloud Server.

  • You can either create a list of file extensions to restrict, or create a list of file extensions to allow.
  • If you create an Allowed list of file extensions, then any settings in the Disallowed list will be ignored. 
  • These restrictions help to prevent users from uploading malicious attachments and viewing them.
  • By default FileCloud restricts users from uploading any files with php extensions. This is to prevent any code injection.


Which list should I use? The Allowed or Disallowed?

  • If you know which file types you don't want to allow and this list is short, you can use the Disallowed setting.
  • If you want to allow only a few file types to be uploaded, you can use the Allowed setting.
  • If you create an Allowed list of file extensions, then any settings in the Disallowed list will be ignored. 

What Do You Want to Do?


If you leave an empty space in your list, then you will allow files that don't have an extension to be uploaded.

  • An empty space is defined as a delimiter character followed by no value.
ExamplesDescriptionImpact on Uploading Files
png | jpg |

Allow 3 types of files to be uploaded with an extension of:

  • png
  • jpg
  • empty

Only the following files can be uploaded by users:

  • Portable Network Graphics
  • Joint Photographic Experts Group
  • Any file without an extension (for example, a file named config)
png | jpg

Allow 3 types of files to be uploaded with an extension of:

  • png
  • jpg

Only the following files can be uploaded by users:

  • Portable Network Graphics
  • Joint Photographic Experts Group
FileCloud VersionMethodInstructionsNotes
19.1Admin Portal

To manage extension in the Admin Portal:

  1. Log into Admin Portal.
  2. From the left navigation panel, select Settings.
  3. On the Settings screen, select the Misc. tab, and then the General tab.
  4. Scroll down until you see the Allowed File Extensions box.
  5. In the Allowed File Extensions box, specify the allowed  extensions, using the "|" character to separate each extension.

(warning) If you add extensions to the Allowed File Extensions list, then any extensions in the Disallowed File Extension list will be ignored.

(warning) If you leave an empty space in your list, then you will allow files that don't have an extension to be uploaded.

This list of extensions must use the following character as the delimiter:

  • '|'
  • For example, to restrict the mp4 and mp3 extensions:

    mp4|mp3
FileCloud VersionMethodInstructionsNotes
Earlier than 17.3Direct Coding

To add file extension restrictions:

  1. Open the following file

    WWWROOT\config\cloudconfig.php
  2. Add the following code

    define("TONIDOCLOUD_DISALLOWED_RESTRICTIONS", "php|php5|phar|phtml");

To remove all file extension restrictions:

  1. Open the following file


    WWWROOT\config\cloudconfig.php
  2. Edit the code to match this:

    define("TONIDOCLOUD_DISALLOWED_RESTRICTIONS", "");

This list of extensions must use the following character as the delimiter:(warning)

  • '|'
  • For example, to restrict php extensions:

    php|php5|phar|phtml
17.3 and later

Admin Portal

Direct Coding

To manage extensions in the Admin Portal:

  1. Log into Admin Portal.
  2. From the left navigation panel, select Settings.
  3. On the Settings screen, select the Misc. tab, and then the General tab.
  4. Scroll down until you see the Disallowed File Extensions box.
  5. In the Disallowed File Extensions box, add the additional restricted extensions.

(warning) If you add extensions to the Allowed File Extensions list, then any extensions in the Disallowed File Extension list will be ignored.


This list of extensions must use the following character as the delimiter:

  • '|'
  • For example, to add restrictions for mp3 and mp4 to the list of disallowed extensions:

    php|php5|phar|phtml|mp3|mp4



  • No labels