Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Author Message
HennROffline
Post subject: filtered file extensions for attachments in the forum, why?!  PostPosted: 03.12.2010, 18:03



Joined: 2010-09-27
Posts: 55

Status: Offline
I just tried to attach a file ended with .log which has a size of 23kB and I wasn't allowed to do so because *.log files are not allowed to get attached.

WHY IS THAT?

I see the point on limiting file sizes, but compressing a log file of size 23kB is such a waste of time.
And not only for the one attaching the file but for the person decompressing it to be able to read it as well.
 
 View user's profile Send private message  
Reply with quote Back to top
devilOffline
Post subject: RE: filtered file extensions for attachments in the forum, w  PostPosted: 03.12.2010, 18:16



Joined: 2010-08-26
Posts: 491
Location: Berlin
Status: Offline
its a security setting. please tar it up.

greetz
devil
 
 View user's profile Send private message  
Reply with quote Back to top
HennROffline
Post subject: RE: filtered file extensions for attachments in the forum, w  PostPosted: 03.12.2010, 19:00



Joined: 2010-09-27
Posts: 55

Status: Offline
Whose security does this setting increase?
 
 View user's profile Send private message  
Reply with quote Back to top
piperOffline
Post subject: RE: filtered file extensions for attachments in the forum, w  PostPosted: 03.12.2010, 19:23
Moderator


Joined: 2010-09-11
Posts: 480
Location: cheektowaga, ny
Status: Offline
The community itself and yours ...

_________________
debian sid | apt-get into it
 
 View user's profile Send private message  
Reply with quote Back to top
HennROffline
Post subject: RE: filtered file extensions for attachments in the forum, w  PostPosted: 03.12.2010, 21:15



Joined: 2010-09-27
Posts: 55

Status: Offline
Why?
 
 View user's profile Send private message  
Reply with quote Back to top
DonKultOffline
Post subject: RE: filtered file extensions for attachments in the forum, w  PostPosted: 03.12.2010, 21:37
Team Member


Joined: 2010-09-02
Posts: 482

Status: Offline
First of all: File extensions say nothing. At least they say nothing in linux world. They are a hint maybe, but we could live without them.

I can for example call a script fun.log and still execute it with "./fun.log" (if i made it executable). The same is true for ./fun.png, ./fun.exe, ./fun.fun and even ./fun … And your browser wouldn't be the first with a bug/feature to execute a downloaded fun.log script…

Furthermore 23kb of text is a lot, are you sure you can't help the reader by extracting the relevant bits instead?

Using something like pastebin is another option.

_________________
MfG. DonKult
"I never make stupid mistakes. Only very, very clever ones." ~ The Doctor
 
 View user's profile Send private message Visit poster's website  
Reply with quote Back to top
HennROffline
Post subject: Re: RE: filtered file extensions for attachments in the foru  PostPosted: 03.12.2010, 22:59



Joined: 2010-09-27
Posts: 55

Status: Offline
      DonKult wrote:
First of all: File extensions say nothing. At least they say nothing in linux world. They are a hint maybe, but we could live without them.

Yes.
      DonKult wrote:

I can for example call a script fun.log and still execute it with "./fun.log" (if i made it executable). The same is true for ./fun.png, ./fun.exe, ./fun.fun and even ./fun … And your browser wouldn't be the first with a bug/feature to execute a downloaded fun.log script…

What about ./fun.tar.gz?

      DonKult wrote:

Furthermore 23kb of text is a lot, are you sure you can't help the reader by extracting the relevant bits instead?

Somebody requested a log file which I gave him (about 500 lines). So what's the point? Size was 23kB not 23kb btw.

      DonKult wrote:

Using something like pastebin is another option.

Yep, but I did not ask for alternatives but for what reason there are file extension filters.
 
 View user's profile Send private message  
Reply with quote Back to top
DeepDayzeOffline
Post subject: RE: Re: RE: filtered file extensions for attachments in the  PostPosted: 04.12.2010, 00:45



Joined: 2010-09-11
Posts: 616
Location: USA
Status: Offline
Just tar or zip it up then attach it...why argue with the team about that? or use pastebin
 
 View user's profile Send private message  
Reply with quote Back to top
JörgOffline
Post subject: RE: Re: RE: filtered file extensions for attachments in the  PostPosted: 04.12.2010, 09:40



Joined: 2010-09-14
Posts: 27
Location: Amsterdam
Status: Offline
      DeepDayze wrote:
Just tar or zip it up then attach it...why argue with the team about that? or use pastebin
I fully agree with DeepDayze ... why argue? The team has more important work to do!
 
 View user's profile Send private message  
Reply with quote Back to top
sx9Offline
Post subject: RE: Re: RE: filtered file extensions for attachments in the  PostPosted: 04.12.2010, 12:46



Joined: 2010-09-12
Posts: 219
Location: Wiesbaden,Germany
Status: Offline
      Quote:

What about ./fun.tar.gz?


Yes, maybe in linux world rhis could be called as an executable, too, but the browser still treats it as an archive. Another point: The extension management is Zikula related, what means that it is controlled by the web structure management programm. I know that I can't post .deb files so I pack them into tars or upload them somewhere else and post a link here. The extension filter has many advantages especially for win users, too, for example in virus protection cases. I can live with it, even if it isn't that easy for me or costs more time to pack that all in tars or gzips.

_________________
My new self-made computer:
Intel Core i7-2600k
ASUS Maximus IV Gene-Z (Mainboard)
2x4GB DDR3 RAM
ATI Radeon HD 6770
OCZ Vertex 3 60GB (SSD)
Western Digital Caviar Green WD20EARX 2TB (HDD)
...
aptosid x86_64
 
 View user's profile Send private message Send e-mail Yahoo Messenger  
Reply with quote Back to top
slamOffline
Post subject: RE: Re: RE: filtered file extensions for attachments in the  PostPosted: 04.12.2010, 13:06
Team Member


Joined: 1970-01-01
Posts: 607
Location: w3
Status: Offline
Being the person responsible for the application stack we use on our web servers, here is the background:

The forum software we use is Zafenio, a phpBB based forum module for the Zikula framework (which we used to build the CMS at sidux.com). It includes the "AttachementMod" from phpBB, which includes the file extension filter for the forums. Filtering those, is very common with every popular forum software, not just to protect poor Windows users against malware, but also to protect the web server itself agains possible intrusion patterns from uploaded files.

Yes, this filter is not protecting against everything - it's just one of the many security measures we implemented. Yes, some of the restriced file extensions are worth a discussion, but .log is definitely not. You should paste snippets from logs in a code box, and not attach entire logs. Entire logs never make sense, people asking you to upload entire logs are just too lazy to help you extracting the needed snippets.

We are picky re security,

1) because we offer an operating system here, and every exploit would also harm aptosid's reputation;
2) because we do care for the reliability and uptimes of our web presence;
3) because the main topic of this forums attracts crackers more than others;
4) because we already have experienced and withstand several attacks over the last years;
5) because we can.

Thanks for understanding!

Greetings,
Chris

_________________
an operating system must operate
development is life
my Debian repo
 
 View user's profile Send private message Send e-mail Visit poster's website AIM Address Yahoo Messenger MSN Messenger ICQ Number 
Reply with quote Back to top
HennROffline
Post subject: Re: RE: Re: RE: filtered file extensions for attachments in  PostPosted: 05.12.2010, 14:02



Joined: 2010-09-27
Posts: 55

Status: Offline
      Jörg wrote:
      DeepDayze wrote:
Just tar or zip it up then attach it...why argue with the team about that? or use pastebin
I fully agree with DeepDayze ... why argue? The team has more important work to do!


Because I have more important work to do than compressing files and decompressing them when I download them.

Or in your words: Why should I argue with you?
 
 View user's profile Send private message  
Reply with quote Back to top
HennROffline
Post subject: Re: RE: Re: RE: filtered file extensions for attachments in  PostPosted: 05.12.2010, 14:06



Joined: 2010-09-27
Posts: 55

Status: Offline
      slam wrote:
Being the person responsible for the application stack we use on our web servers, here is the background:

..., but also to protect the web server itself agains possible intrusion patterns from uploaded files.


OK, first good reason that I hear here. Thanks.


      slam wrote:

5) because we can.

...

      slam wrote:

Thanks for understanding!

Greetings,
Chris


Thanks for your work.
 
 View user's profile Send private message  
Reply with quote Back to top
Display posts from previous:     
Jump to:  
All times are GMT - 12 Hours
Post new topic   Reply to topic
View previous topic Printable version Log in to check your private messages View next topic
Powered by Zafenio