ELM: Users Are Able To Attach Files Not In The File Extension Allowlist Configured For Supplemental Learning (Doc ID 2733481.1)

Last updated on JULY 21, 2023

Applies to:

Symptoms

Users are able to attach files not in the file extension allowlist configured for Supplemental Learning


The issue can be reproduced at will with the following steps:

Prerequisites:

1. Create a File extension to Accept only .DOCX, Extension List Type: Absolute.( PeopleTools > Utilities > Administration > Administer File Processing > File Extension List)
2. Update URL.LM_SUPP_ATCH to associate it with a allowlist(File Extension List). Click on URL Properties for URL:LM_SUPP_ATCH. (PeopleTools->Utilities-->Administration-->URL)
3. Ensure that the fluid Add Supplemental page is used. If not currently setup to use fluid Add Supplemental page, update the portal structure definition for Supplemental Learning to redirect it to the fluid Add Supplemental page (use CN_DISPLAYMODE_1)

1. Navigate to Navbar > Self Service > Learning > Add Supplemental Learning
2. Choose any Supplemental Learning Type
3. Click on the Add Attachment button
4. Click on the My Device icon
5. Choose an HTML file to upload
6. Click on the Upload button
7. Click on the Done button. The HTML is uploaded successfully

Cause

My Oracle Support provides customers with access to over a million knowledge articles and a vibrant support community of peers and Oracle experts.