Consensus on Attachment Extensions..

Discussion of general topics related to the new version and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Forum rules
Discussion of general topics related to the new release and its place in the world. Don't discuss new features, report bugs, ask for support, et cetera. Don't use this to spam for other boards or attack those boards!
Post Reply
Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Consensus on Attachment Extensions..

Post by Yawnster »

Howdy guys,

I noticed that the attachment extension list is a little bare to say the least, as when phpBB3.x goes final adding in things like extra file formats to this list wont really be possible.. I was wondering if people could make a list of Attachment Groups and Extensions in each group so we can kind of get a consensus on what formats are most useful for everyone to use.. (I mean, wouldnt it be annoying if you are using a board that you are not an admin of, you are a fairly new user, and the file you wish to upload doesnt work because of a change that could have been implemented by default :P)

Extended List Of Extensions...

Black - The current extensions included by default.
Red - Extensions I feel are worthy of entering the list..
Blue - Means I am unsure of the popularity of this extension, whether or not it will be used by enough users..
Green - Unsure of security status..
Orange - Definate No.. Based on any number of factors..
Purple - Not viable in terms of the Internet

Images
  • BLEND - Too topic specific
  • BMP
  • GBH - Too topic specific
  • GIF
  • GIH - Too topic specific
  • JPEG
  • JPG
  • PAT - Too topic specific
  • PNG
  • PSD - Too topic specific
  • RAW
  • SVG
  • TGA
  • TIF
  • TIFF
  • XCF - Too topic specific
Archives
  • 7Z
  • ACE
  • ARJ - Not sure if this has enough usage, I understand it is supported by WinZip and WinRaR, but besides that I had never even used or heard of it before..
  • BZ2
  • BH - Too specific, should be a candidate for admin addition..
  • CAB - Too specific, should be a candidate for admin addition..
  • DEB - To topic specific, only would affect Linux related forums
  • EXE - Security Issues
  • GTAR
  • GZ
  • HA - Too specific, should be a candidate for admin addition..
  • JAR - I am guess this would have security implications as the .jar format can be used as an installer I believe..
  • LHA - Too specific, should be a candidate for admin addition..
  • MSI - Security Issues
  • RAR
  • RPM - To topic specific, only would affect Linux related forums
  • TAR
  • TORRENT
  • ZIP
Plain Text
  • BAT - Security Issues
  • C
  • CPP
  • CSV
  • DIZ
  • H
  • HPP
  • HTML - Security Issues
  • INI
  • JS
  • LOG
  • MOD - I know that this format is used for phpBB Modifications system, but is also a media format I believe, I do not think its suitable for inclusion into the list as its too specific.
  • PL - Security Issues
  • PHP - Security Issues
  • PHPS
  • PY - Security Issues
  • SQL - Not sure if this would be good for all forums
  • TXT
  • XML - Security Issues
Documents
  • AI
  • DOC
  • DOT
  • ODG
  • ODP
  • ODS
  • ODT
  • PDF
  • PPT
  • PS
  • RTF
  • XLS
Media
  • M4A
  • M4V
  • MOV
  • MP3
  • MP4
  • MPEG
  • PLS - To my knowledge this is a streaming audio/video extension, I am unsure of the popularity of it, so its a judgement call I guess.
  • OGG
  • SWF - Use the [flash] BBcode Instead.. Almost identical functionality..
  • RM
  • WAV
  • WMA
  • WMV
Current List
Images
  • GIF
  • JPEG
  • JPG
  • PNG
  • TGA
  • TIF
Archives
  • ACE
  • GTAR
  • GZ
  • RAR
  • TAR
  • ZIP
Plain Text
  • C
  • CPP
  • DIZ
  • H
  • HPP
  • TXT
Documents
  • AI
  • DOC
  • DOT
  • PDF
  • PPT
  • PS
  • XLS
Real Media
  • RM
Windows Media
  • WMA
  • WMV


It may not need much tweaking, but I think that a few more programming languages should be included into the plain text, (I am not sure of the security implications of Allowing Perl, PHP, C#, HTML or XML (XML and HTML Should be Fine).. but i am sure that there can be a few more that people will use..)


Hope someone replies.. Yawnster

Final List can be found : viewtopic.php?f=3&t=25029&p=158844#p158844
Last edited by Yawnster on Tue Sep 19, 2006 5:16 pm, edited 34 times in total.

Uchiha Nick
Registered User
Posts: 397
Joined: Tue Jul 20, 2004 6:21 am
Location: Rotterdam, The Netherlands
Contact:

Re: Consensus on Attachment Extensions..

Post by Uchiha Nick »

PHP can be very dangerous.

why not let users themselves arrange alowed extensions?
Image

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: Consensus on Attachment Extensions..

Post by Yawnster »

Well yes, but why not produce a list of common extensions that could be used.. One that is a little bit more comprehensive than the current one is what I am suggesting..

I know allowing C#, PHP and Perl or anyother kind of webscripting technology would be not be the best, but I see no reason why we cannot allow HTML or XML onto the list.. (maybe because of javascript issues?)

NeoThermic
Registered User
Posts: 198
Joined: Fri Jan 02, 2004 3:44 pm
Location: United Kingdom
Contact:

Re: Consensus on Attachment Extensions..

Post by NeoThermic »

From a security standpoint, no for PHP, pl, HTML and XML.

From a logical standpoint, no for bmp. It is not an internet-ready image format, and should not be allowed to attach.

NeoThermic
phpBB release date pool!
The NeoThermic.com... a well of information. Ask me for the bit bucket so you can drink its goodness. ||新熱です

_underscore_
Registered User
Posts: 17
Joined: Fri Nov 04, 2005 3:09 pm
Location: CST

Re: Consensus on Attachment Extensions..

Post by _underscore_ »

Extensions that might have some use:
xcf (THE GIMP! - pretty important) - usefull
gbh (Gimp) - see below
gih (Gimp) - see below
pat (Gimp) - Usefull for gimp forums
java (Only source, shouldn't hurt anything or anybody) - We've got c
md5 - small, usefull
svg - It's an image format!
pgn (Some sort of chess game format, if I'm not mistaken?) - Chess forums!!!
blend (Blender) - usefull for Blender people
tgw (Terragen) - usefull for Terragen people
ter (Terragen) - same as above
ini, cnf, conf (Configuration files) - usefull for some support forums

Can't think of any others right now.

Oooh, didn't see Graham's post, I'll change mine.

Oh, and PY might be a security problem... - same with bat, it's a executable script...
Last edited by _underscore_ on Tue Sep 05, 2006 4:30 pm, edited 5 times in total.

Graham
Registered User
Posts: 1304
Joined: Tue Mar 19, 2002 7:11 pm
Location: UK

Re: Consensus on Attachment Extensions..

Post by Graham »

A couple of points to be noted here before this list gets too silly

1. The attachment functionality is not intended for providing a download site - so files which are mainly likely to be used for that sort of functionality would be questionable to be added
2. There needs to be a reasonable chance that the filetype might actually be used (ie if you can't even explain what the filetype is for, it's highly unlikely we would add it ;) )
"So Long, and Thanks for All the Fish"

Graham
Eeek, a blog!

User avatar
DarsVaeda
Registered User
Posts: 87
Joined: Thu Feb 03, 2005 11:15 pm
Location: Germany
Contact:

Re: Consensus on Attachment Extensions..

Post by DarsVaeda »

i wouldnt add any executable files, cause how can u trust such files?
and i wouldnt add any file-types that are large by there origin like bmp or raw image files, those are not ment to be shared over the net.
but i would really like to see files like from openoffice, 7zip or other free projects. those need any support they can get and many deserve it!
"They say time is the fire in which we burn."

TerraPedia.org

Rotsblok
Registered User
Posts: 325
Joined: Mon Nov 14, 2005 12:21 pm
Location: x= y+1

Re: Consensus on Attachment Extensions..

Post by Rotsblok »

only ones i can think of that might be usefull if added are the open document structure ones as more and more companies are swiching to it.
ø = 1.618033988749895...
Everything has ø in it

Yawnster
Registered User
Posts: 342
Joined: Sat Jan 29, 2005 9:18 pm
Location: London, UK
Contact:

Re: Consensus on Attachment Extensions..

Post by Yawnster »

NeoThermic wrote: From a security standpoint, no for PHP, pl, HTML and XML.

From a logical standpoint, no for bmp. It is not an internet-ready image format, and should not be allowed to attach.

NeoThermic


Aha ok, well ill update the list to include this advice.. I was just wondering why cant XML and HTML be used, is it because Javascript can be used within this? Thus providing a whole load of security related problems? Or am I missing something major?

Thanks.. Yawnster

Omnidon
Posts: 5
Joined: Wed Aug 16, 2006 7:23 am

Re: Consensus on Attachment Extensions..

Post by Omnidon »

Personally I would like to see it possible to attach anything based on admin settings. It could be configured similarly to the settings for HTML posting in phpBB 2.x.x

Certainly there are plenty of security risks involved, but all features have that problem and it should be left up to the admin.

For example, what if the forum is for a small group of trusted friends? Then they may want to be able to attach otherwise dangerous filetypes.

Either way, I definitely think attaching SWF (Flash) files should be possible.

-EDIT-
And yes, SWFs can be a security risk although there are ways to reduce those risks based on server / code settings.
It is already possible to use SWFs in posts however using the new BBcode, so it doesn't seem like a far leap to allow them to be attached.
Last edited by Omnidon on Tue Sep 05, 2006 7:41 pm, edited 3 times in total.

Post Reply