IBX-6185: Add file upload blocklist to security checklist (#2059)

docs/guide/security_checklist.md

@@ -94,6 +94,18 @@ Introduce a measure against brute force login attacks (captcha, etc.).
 If you are using Fastly, disable Varnish.
 See [Security advisory: EZSA-2020-002.](https://developers.ibexa.co/security-advisories/ezsa-2020-002-unauthorised-cache-purge-with-misconfigured-fastly)
 
+### Block upload of unwanted file types
+
+The `ibexa.site_access.config.default.io.file_storage.file_type_blacklist` setting is defined in the config file `src/bundle/Core/Resources/config/default_settings.yml` in the Core bundle.
+It prevents uploading files that might be executed on the server, a Remote Code Execution (RCE) vulnerability. The setting lists filename extensions for files that shouldn't be uploaded.
+Attempting to upload files from the list results in an error message.
+There are also other safety measures in place, like using the web server configuration to block execution of uploaded scripts, see the next point.
+
+You should adapt this list to your needs. Note that `svg` images are blocked because they may contain JavaScript code.
+If you opt to allow them, make sure you take steps to mitigate the risk.
+
+The default list of blocked file types contains: `hta htm html jar js jse pgif phar php php3 php4 php5 phps phpt pht phtml svg swf xhtm xhtml`.
+
 ### Block execution of scripts in `var` directory
 
 Make sure the web server blocks the execution of PHP files and other scripts in the `var` directory.