As we started talking about it in this thread:
viewtopic.php?f=3&t=25029&st=0&sk=t&sd=a&start=20
I really think the devs should at least think of changing the way the attachments are handled.
Now, to explain it for everyone who has not read that other thread...
All that would need to be done is the file extension would be changed during uploading of it to the server. It could be saved as (random text).(any extension). The system works entirely as it is with different extensions then what they normally are.
For example, if you install a test board and start a new thread with an attachment...
In the database, under phpbb_attachments, change the physical_filename's extension to anything(.phpbb or whatever).
Then, in the attachments directory change the file's extension it is using to the same as what you made it in the database.
(do the same with the thumbnail if there is one)
Then go back to the thread that has the attachment and try downloading it. It works exactly the same as it does normally...
By changing the extensions automatically there is no need to worry about scripting languages like php, asp, etc. As they won't be executed by the the engine...
Plus by changing the extensions on images you remove the ability to hot link images. So other sites are not stealing your bandwidth.
Now, I know that you can bypass that by using a directory inaccessible from the web would do the same thing, but how many people know how to do that? And how many people could even do that when they are using one of those free forum sites?
I tried writing a mod up for it myself, and it seems to work fine, but I have not tested it much so I don't know if it will work all the time. This is what I did:
download.php?id=788&f=3
I would really like to hear the thoughts of a few devs on this. It would be really easy to implement, and you would gain quite a bit by it...
Attachments Security...
Forum rules
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Discuss features as they are added to the new version. Give us your feedback. Don't post bug reports, feature requests, support questions or suggestions here. Feature requests are closed.
Re: Attachments Security...
It sounds like a good idea. You don't even need to go as far as renaming the whole file, you could just append a short extension to the end of it. For example:
my_file.php
would become
my_file.php.new_extension
It would still prevent hotlinking. If the point it so that people don't know the name of their uploaded file, you could include a short, random number within the extension, like:
my_file.php.49102.new_extension
Keeping the original filename in tact might make things a little simpler.
edit:
You could actually forget about the extension all together; just append a random number to the end of each file and it will accomplish everything mentioned.
my_file.php
would become
my_file.php.new_extension
It would still prevent hotlinking. If the point it so that people don't know the name of their uploaded file, you could include a short, random number within the extension, like:
my_file.php.49102.new_extension
Keeping the original filename in tact might make things a little simpler.
edit:
You could actually forget about the extension all together; just append a random number to the end of each file and it will accomplish everything mentioned.
Last edited by agent00shoe on Sat Oct 07, 2006 6:42 pm, edited 1 time in total.
Re: Attachments Security...
You need to be very caucious(sp?) when using more than one extension due to the mimetype (security) bug in mod_mime.
But overall worth a consideration if i have the time to have a really deep look at it.
But overall worth a consideration if i have the time to have a really deep look at it.
-
- Registered User
- Posts: 17
- Joined: Fri Nov 04, 2005 3:09 pm
- Location: CST
Re: Attachments Security...
Your suggestion does nothing to protect users from viruses- EXE, SRC, BAT, COM, DEB, RPM, etc can be very dangrous, which is a plus for the current system
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: Attachments Security...
_underscore_ wrote: Your suggestion does nothing to protect users from viruses- EXE, SRC, BAT, COM, DEB, RPM, etc can be very dangrous, which is a plus for the current system
Nothing at all will protect users from viruses or harmful data.
Do you understand what I mean? It is kept as the same exact system as we have where you can disable/enable whatever file type you want, so if you don't allow .exe files they won't be allowed to upload them.
The only difference that the changes I mentioned would make is that it would be much more secure for the server(since any scripting files would not be ran), there is absolutely no difference client side(except for the inability to hot link images).
As for the file extensions it would be changed to, would .phpbb be safe? Either that or you could just use numbers(randomized if you want).
EDIT: Or would it be safe to completely remove the extension on the file totally? Just have it named the random number it is given...
Re: Attachments Security...
Personally I have come around to this idea, after you brought it up a few months back I believe, I was heavily specitical.. not quite being able to visualise the system I think.. but its a nice idea I think..
Anyway, on with brainstorming..
Having no file extension would be the best option I believe, then saving the extension in the database along with a timestamp and filename would be sufficent.. (renaming the actual physical file as.. *timestamp_filename* would do in thems of keeping them unique..)
However I do not agree with your hotlinking solution.. What happens if I do indeed want to hotlink an image... How do I enable the use of this without draining yet more system resources having to get it processed along with rendered on the same server.. (Imagine what would happen if /. started allowing avatars (Havent ever logged in, maybe it does).. what would the processing costs be if a user linked in a file there..)
I suppose I am open to ideas, but you have to keep in mind that some users will still want hotlinking and there has to be a solution to cater for that..
Yawnster
Anyway, on with brainstorming..
Having no file extension would be the best option I believe, then saving the extension in the database along with a timestamp and filename would be sufficent.. (renaming the actual physical file as.. *timestamp_filename* would do in thems of keeping them unique..)
However I do not agree with your hotlinking solution.. What happens if I do indeed want to hotlink an image... How do I enable the use of this without draining yet more system resources having to get it processed along with rendered on the same server.. (Imagine what would happen if /. started allowing avatars (Havent ever logged in, maybe it does).. what would the processing costs be if a user linked in a file there..)
I suppose I am open to ideas, but you have to keep in mind that some users will still want hotlinking and there has to be a solution to cater for that..
Yawnster
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: Attachments Security...
I guess I might have missed what you mean. The avatars shouldn't be changed at all, I would keep that the way it is with the file extensions.
Just the images that are uploaded in an attachment would be like that, where someone could not hot link to it.
Or does the avatar upload use the same system as the file uploads?
Just the images that are uploaded in an attachment would be like that, where someone could not hot link to it.
Or does the avatar upload use the same system as the file uploads?
Re: Attachments Security...
no.. the attachment feature should also be able to be used to upload images so that people can view/download that image.. Instead of having to link to a topic.. If you get my drift..
I would not be satisfied if hotlinking was completely disabled because I would have a need for it sometimes..
Yawnster
I would not be satisfied if hotlinking was completely disabled because I would have a need for it sometimes..
Yawnster
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: Attachments Security...
For that kind of stuff there are many sites that do that for free...
Supload, Photobucket, and a bunch of others...
You could still point them to your forum's download link. That would download the file with the correct extension, etc...
Supload, Photobucket, and a bunch of others...
You could still point them to your forum's download link. That would download the file with the correct extension, etc...
- EXreaction
- Registered User
- Posts: 1555
- Joined: Sat Sep 10, 2005 2:15 am
Re: Attachments Security...
Any more thoughts/ideas?
Ever get a chance to think this over Acyd?
Ever get a chance to think this over Acyd?