Sage CRM 2023 R1: Admin Improvement: File Upload whitelist replaces blacklist

1 minute read time.

Sage CRM 2023 R1 has changed the way in which files uploaded into the library are policed. In Sage CRM 2022 R2 and earlier there was a setting called "File extension restrictions" that allowed a System Administrator to blacklist the extensions of file types that were forbidden from being uploaded to Sage CRM. For example exe, asp, bat.

This file restriction list in Sage CRM 2022 R2 and earlier would only apply to the "Drop files here" and "Document Drop" library options. The blacklist didn't apply to email attachments.

Now in Sage CRM 2023, R1 System Administrators can configure an allowlist or "White List" to list the file types that users can upload to Sage CRM. If a file name extension is missing from the allowlist, the upload of the file is blocked.

These limitations are enforced in Sage CRM 2023 R1 when a user uploads files on the Shared Documents tab or attaches files to a calendar task, email message, or communication using the "Add File" button or "Drop files here to attach them" area, or files emails against a record in Sage CRM using the "Import Emails" button.

We've moved to use a "whitelist" approach rather than a "blacklist" approach as we think this provides a safer of controlling file uploads. This is because it only allows specified file types to be uploaded, and any attempts to upload files, not on the list will be rejected.

The old way of doing it is effective because it relies on keeping an up-to-date list of all known malicious file types, and any new malicious file types could potentially slip through.

Sage CRM 2023 R1 can allow executables into the library if they are included in the white list "Allowed File Name Extensions".

If a file name extension in this option belongs to an executable file, you must also set "Allow executable files" to be uploaded to Yes.

Sage CRM treats the following file types as executable:

com, cpl, dex, dll, exe, fon, mz, scr, sys, iec, ime, rs, tsp

Note: Sage CRM 2023 R1 has the ability to identify executable files regardless of any changes made to their file name extensions by examining the file's header and determining its actual type.

See below: