From d44ee7de7c388140aed70926066957ba90d86a1e Mon Sep 17 00:00:00 2001
From: Paula Quispe <paula.quispe@processmaker.com>
Date: Wed, 24 Sep 2025 15:15:07 -0400
Subject: [PATCH] FOUR-26751

---
 .../Controllers/Api/ProcessRequestFileController.php   |  8 +++++---
 config/files.php                                       | 10 ++++++++++
 2 files changed, 15 insertions(+), 3 deletions(-)

diff --git a/ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php b/ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php
index 5e38a77d41..1e606ca5f4 100644
--- a/ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php
+++ b/ProcessMaker/Http/Controllers/Api/ProcessRequestFileController.php
@@ -450,15 +450,17 @@ public function destroy(Request $laravel_request, ProcessRequest $request, $file
     private function validateFile(UploadedFile $file, &$errors)
     {
         // Explicitly reject archive files for security
-        $this->rejectArchiveFiles($file, $errors);
+        if (config('files.enable_dangerous_validation')) {
+            $this->rejectArchiveFiles($file, $errors);
+        }
 
         // Validate file extension if enabled
-        if (config('files.enable_extension_validation', true)) {
+        if (config('files.enable_extension_validation')) {
             $this->validateFileExtension($file, $errors);
         }
 
         // Validate MIME type vs extension if enabled
-        if (config('files.enable_mime_validation', true)) {
+        if (config('files.enable_mime_validation')) {
             $this->validateExtensionMimeTypeMatch($file, $errors);
         }
 
diff --git a/config/files.php b/config/files.php
index 8e81083adb..f4356129e8 100644
--- a/config/files.php
+++ b/config/files.php
@@ -72,6 +72,16 @@
         'mp4'  => ['video/mp4'],
     ],
 
+    /*
+    |--------------------------------------------------------------------------
+    | Enable DANGEROUS Validation
+    |--------------------------------------------------------------------------
+    |
+    | Whether to enable dangerous file validation that checks against
+    |
+    */
+    'enable_dangerous_validation' => env('ENABLE_DANGEROUS_VALIDATION', true),
+
     /*
     |--------------------------------------------------------------------------
     | Enable MIME Type Validation