diff --git a/src/applications/files/config/PhabricatorFilesConfigOptions.php b/src/applications/files/config/PhabricatorFilesConfigOptions.php
index b448b0b5ff..7f18da3e99 100644
--- a/src/applications/files/config/PhabricatorFilesConfigOptions.php
+++ b/src/applications/files/config/PhabricatorFilesConfigOptions.php
@@ -89,8 +89,14 @@ final class PhabricatorFilesConfigOptions
) + array_fill_keys(array_keys($image_default), 'fa-file-image-o');
+ // NOTE: These options are locked primarily because adding "text/plain"
+ // as an image MIME type increases SSRF vulnerability by allowing users
+ // to load text files from remote servers as "images" (see T6755 for
+ // discussion).
+
return array(
$this->newOption('files.viewable-mime-types', 'wild', $viewable_default)
+ ->setLocked(true)
->setSummary(
pht('Configure which MIME types are viewable in the browser.'))
->setDescription(
@@ -104,18 +110,21 @@ final class PhabricatorFilesConfigOptions
'the MIME types they are delivered as when they are viewed in '.
'the browser.')),
$this->newOption('files.image-mime-types', 'set', $image_default)
+ ->setLocked(true)
->setSummary(pht('Configure which MIME types are images.'))
->setDescription(
pht(
'List of MIME types which can be used as the `src` for an '.
'`` tag.')),
$this->newOption('files.audio-mime-types', 'set', $audio_default)
+ ->setLocked(true)
->setSummary(pht('Configure which MIME types are audio.'))
->setDescription(
pht(
'List of MIME types which can be used to render an '.
'`` tag.')),
$this->newOption('files.icon-mime-types', 'wild', $icon_default)
+ ->setLocked(true)
->setSummary(pht('Configure which MIME types map to which icons.'))
->setDescription(
pht(