Attachments Security...

Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here.
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Attachments Security...

Post by EXreaction »

As we started talking about it in this thread:
viewtopic.php?f=3&t=25029&st=0&sk=t&sd=a&start=20

I really think the devs should at least think of changing the way the attachments are handled.

Now, to explain it for everyone who has not read that other thread...

All that would need to be done is the file extension would be changed during uploading of it to the server. It could be saved as (random text).(any extension). The system works entirely as it is with different extensions then what they normally are.

For example, if you install a test board and start a new thread with an attachment...

In the database, under phpbb_attachments, change the physical_filename's extension to anything(.phpbb or whatever).
Then, in the attachments directory change the file's extension it is using to the same as what you made it in the database.
(do the same with the thumbnail if there is one)

Then go back to the thread that has the attachment and try downloading it. It works exactly the same as it does normally...


By changing the extensions automatically there is no need to worry about scripting languages like php, asp, etc. As they won't be executed by the the engine...
Plus by changing the extensions on images you remove the ability to hot link images. So other sites are not stealing your bandwidth.

Now, I know that you can bypass that by using a directory inaccessible from the web would do the same thing, but how many people know how to do that? And how many people could even do that when they are using one of those free forum sites?

I tried writing a mod up for it myself, and it seems to work fine, but I have not tested it much so I don't know if it will work all the time. This is what I did:
download.php?id=788&f=3

I would really like to hear the thoughts of a few devs on this. It would be really easy to implement, and you would gain quite a bit by it...

agent00shoe

Re: Attachments Security...

Post by agent00shoe »

It sounds like a good idea. You don't even need to go as far as renaming the whole file, you could just append a short extension to the end of it. For example:

my_file.php

would become

my_file.php.new_extension

It would still prevent hotlinking. If the point it so that people don't know the name of their uploaded file, you could include a short, random number within the extension, like:

my_file.php.49102.new_extension

Keeping the original filename in tact might make things a little simpler.

edit:
You could actually forget about the extension all together; just append a random number to the end of each file and it will accomplish everything mentioned.
Last edited by agent00shoe on Sat Oct 07, 2006 6:42 pm, edited 1 time in total.

User avatar
Acyd Burn
Posts: 1838
Joined: Tue Oct 08, 2002 5:18 pm
Location: Behind You
Contact:

Re: Attachments Security...

Post by Acyd Burn »

You need to be very caucious(sp?) when using more than one extension due to the mimetype (security) bug in mod_mime.

But overall worth a consideration if i have the time to have a really deep look at it.

Image

_underscore_
Registered User
Posts: 17
Joined: Fri Nov 04, 2005 3:09 pm
Location: CST
Contact:

Re: Attachments Security...

Post by _underscore_ »

Your suggestion does nothing to protect users from viruses- EXE, SRC, BAT, COM, DEB, RPM, etc can be very dangrous, which is a plus for the current system

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

_underscore_ wrote: Your suggestion does nothing to protect users from viruses- EXE, SRC, BAT, COM, DEB, RPM, etc can be very dangrous, which is a plus for the current system


Nothing at all will protect users from viruses or harmful data.

Do you understand what I mean? It is kept as the same exact system as we have where you can disable/enable whatever file type you want, so if you don't allow .exe files they won't be allowed to upload them.

The only difference that the changes I mentioned would make is that it would be much more secure for the server(since any scripting files would not be ran), there is absolutely no difference client side(except for the inability to hot link images).


As for the file extensions it would be changed to, would .phpbb be safe? Either that or you could just use numbers(randomized if you want).

EDIT: Or would it be safe to completely remove the extension on the file totally? Just have it named the random number it is given...

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: Attachments Security...

Post by Yawnster »

Personally I have come around to this idea, after you brought it up a few months back I believe, I was heavily specitical.. not quite being able to visualise the system I think.. but its a nice idea I think..

Anyway, on with brainstorming..

Having no file extension would be the best option I believe, then saving the extension in the database along with a timestamp and filename would be sufficent.. (renaming the actual physical file as.. *timestamp_filename* would do in thems of keeping them unique..)

However I do not agree with your hotlinking solution.. What happens if I do indeed want to hotlink an image... How do I enable the use of this without draining yet more system resources having to get it processed along with rendered on the same server.. (Imagine what would happen if /. started allowing avatars (Havent ever logged in, maybe it does).. what would the processing costs be if a user linked in a file there..)

I suppose I am open to ideas, but you have to keep in mind that some users will still want hotlinking and there has to be a solution to cater for that..

Yawnster :)

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

I guess I might have missed what you mean. The avatars shouldn't be changed at all, I would keep that the way it is with the file extensions.

Just the images that are uploaded in an attachment would be like that, where someone could not hot link to it.

Or does the avatar upload use the same system as the file uploads?

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: Attachments Security...

Post by Yawnster »

no.. the attachment feature should also be able to be used to upload images so that people can view/download that image.. Instead of having to link to a topic.. If you get my drift..

I would not be satisfied if hotlinking was completely disabled because I would have a need for it sometimes..

Yawnster

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

For that kind of stuff there are many sites that do that for free...

Supload, Photobucket, and a bunch of others...

You could still point them to your forum's download link. That would download the file with the correct extension, etc...

User avatar
EXreaction
Registered User
Posts: 1555
Joined: Sat Sep 10, 2005 2:15 am

Re: Attachments Security...

Post by EXreaction »

Any more thoughts/ideas?

Ever get a chance to think this over Acyd?

Post Reply