(never ever allowed in security land so I am told) opt-in security:
=== modified file 'includes/file.inc' --- includes/file.inc +++ includes/file.inc @@ -156,7 +156,10 @@ else { $file->filemime = $_FILES["edit"]["type"][$source]; } - if (((substr($file->filemime, 0, 5) == 'text/' || strpos($file->filemime, 'javascript')) && (substr($file->filename, -4) != '.txt')) || preg_match('/\.(php|pl|py|cgi|asp)$/i', $file->filename)) { + preg_match('/\.(.+)$/', $file->filename, $m); + $extension = $m[1]; + $allowed_extensions = variable_get('file_allowed_extensions', array('jpg', 'jpeg', 'gif', 'png', 'txt', 'html', 'doc', 'xls', 'pdf', 'ppt', 'pps')); + if (((substr($file->filemime, 0, 5) == 'text/' || strpos($file->filemime, 'javascript')) && ($extension != 'txt')) || !in_array($extension, $allowed_extensions)) { $file->filemime = 'text/plain'; rename($file->filepath, $file->filepath .'.txt'); $file->filepath .= '.txt'; From here, you take over. Regards NK