Handling Unknown MIME Types for Uploaded .unitypackage Files in OPS

Dear PKP staffs and Forum members,

We are currently operating OPS3.3.0.8 (PHP8.1).
When an author uploads a file with the .unitypackage extension among the manuscript-related files, a .txt extension is appended. Upon investigating the source code, we found the following process being executed:

1. File Upload Process:
   The function parseFileExtension is called during the file upload.

./lib/pkp/controllers/wizard/fileUpload/form/SubmissionFilesUploadForm.inc.php

// Upload the file.
import('lib.pkp.classes.file.FileManager');
$fileManager = new FileManager();
$extension = $fileManager->**parseFileExtension**($_FILES['uploadedFile']['name']);

$submissionDir = Services::get('submissionFile')->getSubmissionDir($request->getContext()->getId(), $this->getData('submissionId'));
$fileId = Services::get('file')->add(
    $_FILES['uploadedFile']['tmp_name'],
    $submissionDir . '/' . uniqid() . '.' . $extension
);

2. Handling Unknown MIME Types:
   The parseFileExtension function appends “.txt” to the filename if the MIME type is unknown.

./lib/pkp/classes/file/FileManager.inc.php

function parseFileExtension($fileName) {
    $fileParts = explode('.', $fileName);
    if (is_array($fileParts)) {
        $fileExtension = $fileParts[count($fileParts) - 1];
    }

    // FIXME Check for evil
    if (!isset($fileExtension) || stristr($fileExtension, 'php') || strlen($fileExtension) > 6 || !preg_match('/^\w+$/', $fileExtension)) {
        **$fileExtension = 'txt';**
    }

    // consider .tar.gz extension
    if (strtolower(substr($fileName, -7)) == '.tar.gz') {
        $fileExtension = substr($fileName, -6);
    }

    return $fileExtension;
}

Could you please advise on how to add the MIME type for file extensions not currently supported by OPS, such as in this case? Ideally, we would prefer a solution that does not involve modifying the OPS source files but instead uses a configuration file to add the definitions.

Thank you for your assistance.

Best regards,
Minoru Tanabe.

Hi @Minoru_Tanabe,

The unitypackage extension is pretty niche – but we are already explicitly working around generic handling of extensions for e.g. .tar.gz archives in that piece of code. If you’d like to submit a PR that explicitly handles unitypackage files as well, I’ll consider it for inclusion in the next release.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher ,

Thank you for your response.
If I were to modify the source code and submit a pull request, I would propose the following changes:

1. An external file sample of allowed_extensions.txt:

unitypackage
unityweb
uproject
webmanifest

2. A sample of revised code:

// Read the file of allowed_extensions.txt
$allowedExtensions = file('allowed_extensions.txt', FILE_IGNORE_NEW_LINES | FILE_SKIP_EMPTY_LINES);

// FIXME Check for evil
if (!isset($fileExtension) || stristr($fileExtension, 'php') || strlen($fileExtension) > 6 || !preg_match('/^\w+$/', $fileExtension)) {
    if (!in_array(strtolower($fileExtension), $allowedExtensions)) {
        $fileExtension = 'txt';
    }
}

However, considering long-term operation and security risks, I believe it might be better not to allow direct uploads of diverse project files or files used in specific software environments to OPS/OJS. Instead, we could guide users to external platforms like GitHub, where they can download the necessary files. What are your thoughts on this approach?

I would appreciate hearing your opinion on this matter.

Best regards,
Minoru Tanabe.

Hi @Minoru_Tanabe,

Using an external system for supplementary content is another worthwhile approach; there’s the Dataverse plugin for OJS, for example.

Regards,
Alec Smecher
Public Knowledge Project Team

Hi @asmecher ,

Thank you for your reply.
In the end, we decided not to directly publish .unitypackage files. Therefore, for the time being, no further action is required.
Additionally, creating a plugin solely for addressing this issue would be cumbersome, so we would prefer to wait for this to be incorporated into the OPS’s core in a future release.

Best regards,
Minoru Tanabe.

This topic was automatically closed after 14 days. New replies are no longer allowed.