| Author |
Message |
HennR
|
|
Post subject: filtered file extensions for attachments in the forum, why?!
 Posted: 03.12.2010, 18:03
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
I just tried to attach a file ended with .log which has a size of 23kB and I wasn't allowed to do so because *.log files are not allowed to get attached.
WHY IS THAT?
I see the point on limiting file sizes, but compressing a log file of size 23kB is such a waste of time.
And not only for the one attaching the file but for the person decompressing it to be able to read it as well. |
|
|
| |
|
|
|
 |
|
devil
|
|
|
Post subject: RE: filtered file extensions for attachments in the forum, w
Posted: 03.12.2010, 18:16
|
|
Joined: 2010-08-26
Posts: 491
Location: Berlin
Status: Offline
|
|
its a security setting. please tar it up.
greetz
devil |
|
|
| |
|
|
|
|
|
HennR
|
|
|
Post subject: RE: filtered file extensions for attachments in the forum, w
Posted: 03.12.2010, 19:00
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
| Whose security does this setting increase? |
|
|
| |
|
|
|
|
|
piper
|
|
|
Post subject: RE: filtered file extensions for attachments in the forum, w
Posted: 03.12.2010, 19:23
|
|
Moderator
Joined: 2010-09-11
Posts: 467
Location: cheektowaga, ny
Status: Offline
|
|
| The community itself and yours ... |
_________________
debian sid | apt-get into it
|
| |
|
|
|
|
|
HennR
|
|
|
Post subject: RE: filtered file extensions for attachments in the forum, w
Posted: 03.12.2010, 21:15
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
|
|
|
|
|
DonKult
|
|
|
Post subject: RE: filtered file extensions for attachments in the forum, w
Posted: 03.12.2010, 21:37
|
|
Team Member
Joined: 2010-09-02
Posts: 416
Status: Offline
|
|
First of all: File extensions say nothing. At least they say nothing in linux world. They are a hint maybe, but we could live without them.
I can for example call a script fun.log and still execute it with "./fun.log" (if i made it executable). The same is true for ./fun.png, ./fun.exe, ./fun.fun and even ./fun … And your browser wouldn't be the first with a bug/feature to execute a downloaded fun.log script…
Furthermore 23kb of text is a lot, are you sure you can't help the reader by extracting the relevant bits instead?
Using something like pastebin is another option. |
_________________
MfG. DonKult
"I never make stupid mistakes. Only very, very clever ones." ~ The Doctor
|
| |
|
|
|
|
|
HennR
|
|
|
Post subject: Re: RE: filtered file extensions for attachments in the foru
Posted: 03.12.2010, 22:59
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
|
DonKult wrote:
First of all: File extensions say nothing. At least they say nothing in linux world. They are a hint maybe, but we could live without them.
Yes.
DonKult wrote:
I can for example call a script fun.log and still execute it with "./fun.log" (if i made it executable). The same is true for ./fun.png, ./fun.exe, ./fun.fun and even ./fun … And your browser wouldn't be the first with a bug/feature to execute a downloaded fun.log script…
What about ./fun.tar.gz?
DonKult wrote:
Furthermore 23kb of text is a lot, are you sure you can't help the reader by extracting the relevant bits instead?
Somebody requested a log file which I gave him (about 500 lines). So what's the point? Size was 23kB not 23kb btw.
DonKult wrote:
Using something like pastebin is another option.
Yep, but I did not ask for alternatives but for what reason there are file extension filters. |
|
|
| |
|
|
|
|
|
DeepDayze
|
|
|
Post subject: RE: Re: RE: filtered file extensions for attachments in the
Posted: 04.12.2010, 00:45
|
|
Joined: 2010-09-11
Posts: 609
Location: USA
Status: Offline
|
|
| Just tar or zip it up then attach it...why argue with the team about that? or use pastebin |
|
|
| |
|
|
|
|
|
Jörg
|
|
|
Post subject: RE: Re: RE: filtered file extensions for attachments in the
Posted: 04.12.2010, 09:40
|
|
Joined: 2010-09-14
Posts: 27
Location: Amsterdam
Status: Offline
|
|
|
DeepDayze wrote:
Just tar or zip it up then attach it...why argue with the team about that? or use pastebin
I fully agree with DeepDayze ... why argue? The team has more important work to do! |
|
|
| |
|
|
|
|
|
sx9
|
|
|
Post subject: RE: Re: RE: filtered file extensions for attachments in the
Posted: 04.12.2010, 12:46
|
|
Joined: 2010-09-12
Posts: 219
Location: Wiesbaden,Germany
Status: Offline
|
|
|
Quote:
What about ./fun.tar.gz?
Yes, maybe in linux world rhis could be called as an executable, too, but the browser still treats it as an archive. Another point: The extension management is Zikula related, what means that it is controlled by the web structure management programm. I know that I can't post .deb files so I pack them into tars or upload them somewhere else and post a link here. The extension filter has many advantages especially for win users, too, for example in virus protection cases. I can live with it, even if it isn't that easy for me or costs more time to pack that all in tars or gzips. |
_________________
My new self-made computer:
Intel Core i7-2600k
ASUS Maximus IV Gene-Z (Mainboard)
2x4GB DDR3 RAM
ATI Radeon HD 6770
OCZ Vertex 3 60GB (SSD)
Western Digital Caviar Green WD20EARX 2TB (HDD)
...
aptosid x86_64
|
| |
|
|
|
|
|
slam
|
|
|
Post subject: RE: Re: RE: filtered file extensions for attachments in the
Posted: 04.12.2010, 13:06
|
|
Team Member
Joined: 1970-01-01
Posts: 606
Location: w3
Status: Offline
|
|
Being the person responsible for the application stack we use on our web servers, here is the background:
The forum software we use is Zafenio, a phpBB based forum module for the Zikula framework (which we used to build the CMS at sidux.com). It includes the "AttachementMod" from phpBB, which includes the file extension filter for the forums. Filtering those, is very common with every popular forum software, not just to protect poor Windows users against malware, but also to protect the web server itself agains possible intrusion patterns from uploaded files.
Yes, this filter is not protecting against everything - it's just one of the many security measures we implemented. Yes, some of the restriced file extensions are worth a discussion, but .log is definitely not. You should paste snippets from logs in a code box, and not attach entire logs. Entire logs never make sense, people asking you to upload entire logs are just too lazy to help you extracting the needed snippets.
We are picky re security,
1) because we offer an operating system here, and every exploit would also harm aptosid's reputation;
2) because we do care for the reliability and uptimes of our web presence;
3) because the main topic of this forums attracts crackers more than others;
4) because we already have experienced and withstand several attacks over the last years;
5) because we can.
Thanks for understanding!
Greetings,
Chris |
_________________
an operating system must operate
development is life
my Debian repo
|
| |
|
|
|
|
|
HennR
|
|
|
Post subject: Re: RE: Re: RE: filtered file extensions for attachments in
Posted: 05.12.2010, 14:02
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
|
Jörg wrote:
DeepDayze wrote:
Just tar or zip it up then attach it...why argue with the team about that? or use pastebin
I fully agree with DeepDayze ... why argue? The team has more important work to do!
Because I have more important work to do than compressing files and decompressing them when I download them.
Or in your words: Why should I argue with you? |
|
|
| |
|
|
|
|
|
HennR
|
|
|
Post subject: Re: RE: Re: RE: filtered file extensions for attachments in
Posted: 05.12.2010, 14:06
|
|
Joined: 2010-09-27
Posts: 55
Status: Offline
|
|
|
slam wrote:
Being the person responsible for the application stack we use on our web servers, here is the background:
..., but also to protect the web server itself agains possible intrusion patterns from uploaded files.
OK, first good reason that I hear here. Thanks.
slam wrote:
5) because we can.
...
slam wrote:
Thanks for understanding!
Greetings,
Chris
Thanks for your work. |
|
|
| |
|
|
|
|
|
|
