The MU forums have moved to WordPress.org

Safe file types / file extensions to allow to be uploaded (13 posts)

  1. Farms
    Member
    Posted 16 years ago #

    Being in the education biz, I get a lot of teachers using varied desktop apps which spit out every filetype and extension you've hear of (and some you haven't) - and they want to share them too!

    My problem is differentiating from 'safe' file types (i.e. ones that won't allow for exploitation of the system...) and unsafe ones.

    Any tips or ideas on how I can best figure that out?

  2. drmiketemp
    Member
    Posted 16 years ago #

    Maybe a list of some of the file types you deal with might be helpful...

  3. lunabyte
    Member
    Posted 16 years ago #

    That would be my recommendation. Make a list of supported file types, and another list of supported file types on EDUblogs premium. ;)

  4. Farms
    Member
    Posted 16 years ago #

    The problem is more where to start,'cos I get asked for new ones every day - i.e. .inf, .ins - and I'm trying to figure out if there's an easy way to ascertain if there are potential security risks.

    Agree about actually detailing supported uploads though, will add to the list :)

  5. mysorehead
    Member
    Posted 16 years ago #

    .ins is probably an inspiration file so should be allowed.

    Aren't the only truly unsafe ones, the file types that are executed on your server or in the browser? eg. php, js

    Given that JPEGs can have exploit code for unpatched systems is it all a bit silly being so paranoid? Unless you're worried about becoming a warez or mp3 site! But given size restrictions that is probably unlikely.

    Richard

  6. Farms
    Member
    Posted 16 years ago #

    I guess that's what I was asking - are there any other files, besides js, php etc. which are completely on the banned list and we can say no to - while saying yes to moreorless anything else.

    And yep, it's an inspiration file :)

  7. mysorehead
    Member
    Posted 16 years ago #

    If you have your folder permissions set properly then none of the users uploaded files should ever be executed server side regardless of the file type. Even javascript files shouldn't be a problem as the users can't include them in their pages anyway.

    So with that logic any and every file type should be safe.

    I'm sure others will disagree but I'd like to be convinced why...

  8. Farms
    Member
    Posted 16 years ago #

    Likewise :)

  9. drmiketemp
    Member
    Posted 16 years ago #

    Actually I meant a list of some of the file types Farms was debating on allowing. Easier to search for specifics that way.

    As to the warez issues, it's childs play to just switch the file extention and upload a zip file as a jpg. Don't know if mu checks it or not.

  10. Farms
    Member
    Posted 16 years ago #

    But if there are some generic guidelines, like msh is suggesting, then it wouldn't matter so much...

  11. drmiketemp
    Member
    Posted 16 years ago #

    We could look into the issue though with specifics...

  12. mysorehead
    Member
    Posted 16 years ago #

    I'd just ban php files, not because they could be executed and be a secuirty risk but because the done thing is to share php files with a phps extension.

    Good luck!

  13. mark-k
    Member
    Posted 16 years ago #

    Just run into the same issue. It actually makes more sense to have a list of restricted file types then permitted one.

    Do you know of any plugin which does it, or should I patch it myself?

About this Topic