Limit the format types of Uploaded Files

Hi there! I hope all of you are doing fine. First of all, let me appreciate all the efforts and continuous hard work of PKP team for their outstanding products especially OJS as we are regularly using OJS since 2008 for our two journals: and

Recently, one of our journals (Annals of KEMU) was attacked by a malware and on investigating the files and different data, we came across multiple submissions containing suspicious files into submissions section (.phtml, .pht and .phar) and these scripts are still disturbing the landing page of our journal main website by replacing the index file. The reason of my posting this request is that I think OJS team should do something about allowed file formats to be uploaded within OJS to avoid such malicious scripts or they should find a way to prohibit such formats. It later came to our knowledge through the web search that some of other journals using OJS were affected by same malware. So, if possible, please do consider to either limit the allowed file formats for uploading or incorporate a mechanism to block / disallow executable formats.

Thank you once again and wish all of you best of luck.

Farhan Abbas
Assistant Editor (Online)
Annals of KEMU (

Hi Farhan,
in the plugin gallery, there is a “Control Public Files” plugin that exactly does what you wish for. Worth installing it.

1 Like

Hi @Farhan_Abbas,

Just to add in addition to @mpbraendle’s excellent advice – make sure that the files_dir is not directly web-accessible. This is noted in the installation form, in the configuration file, in the admin documentation, and basically anywhere else you deal with files_dir. Even with the “Control Public Files” plugin installed and preventing .phtml files from being uploaded, if you leave files_dir web accessible, it’ll still be possible for a user to guess URLs to access your journal’s content regardless of whether OJS grants access to it.

We don’t specifically prevent OJS from receiving certain types of files “out of the box” because there may be journals that legitimately want these types to be uploaded. For example, code could be part of a submisison to a journal about computer science. As long as these types of files can’t be directly accessed (and executed) by guessing the URL and circumventing OJS, they are safe.

Alec Smecher
Public Knowledge Project Team

1 Like

As far there is alrady a solution, moving to “Support forum”.

If you are still interested in create a FR, please add a new post estructuring your petition following the channel template.


Alright. Thanks for the prompt response. I will try with the above said plugin and also the important aspect you mentioned regarding the files directory. Will definitely ensure that this folder is not web accessible…


Under which category of plugins should I add it?

It’s a generic plugin.

1 Like

Thank you very much for your prompt response. The plugin has been installed and activated. Let’s see whether it does the job accordingly. Regards,

And as @asmecher said, please check that the files directory is outside of the {ojs_root} directory and not web accessible: - it is one of the most import security steps to take when setting up OJS.

Unfortunately, files director is inside ojs directory. For some unknown reason, it is there but it should not be. So can you suggest how can I move files director to a safe place and configure it accordingly in

@mpbraendle And also let me know how can I grant my ojs installation permissions to the files directory if it on a location outside of ojs?

This depends much on your Web server and Web server configuration used.

Of course, the web server process (Apache or whatever) needs to have write access (either as user or group) to the directory and all its subdirectory and files, but other should not have write access.

Example for a Linux system:
OJS root dir = /var/www/virtual/somepathname/htdocs/ojs
OJS files_dir = /var/www/virtual/somepathname/files

Permissions of files_dir
drwxrwxr-x {someuser_or_apacheuser} {apachegroup} files

In addition, the Web server configuration needs to be hardened so that no one can traverse the file system. It’s best to ask the server admin in your organization to set this up correctly.

1 Like

Really grateful for your valuable response. Will definitely consider these and consult our Server Administrator to ensure these security measures.

Thank you.

1 Like

This topic was automatically closed after 8 days. New replies are no longer allowed.