Up to now, the file upload in lenya is restricted to certain files based
on the file suffix. We recently had a discussion to cancel this
restriction out i.e to enable an upload for all file types.
I am personnally not sure whether this is a good idea. I mainly have
security concerns. However i did not investigate this question in more
Does anybody have a more detailed argument concerning this questions.
the main reason this is there is to restrict the upload to well-known
filetypes that we know how to handle in resources.xmap. while we could
do an application/octet-stream fallback, i am not sure if that would
work well. maybe cocoon needs a simpler way to define mime types..
i do not think the file type has much to do with security.
P.S. BTW, for our other java applications, tomcat runs under a security
manager (but up to now, i did not try to run lenya under a security
manager) which allow a very fine tuning concerning security.