Change "black list" to "white list" in the default connector configurations

[Frederico Caldeira Knabben]

Currently, we are using the "DeniedExtensions" setting for all connectors to define the list of denied extensions in all File Browser connectors.

It is a fact that it is quite hard to maintain this "black list", making it easy to miss something that could result in security issues. It would be much more sane to maintain a "white list", using the "AllowedExtensions" setting instead.

I'm sure many people will start complaining that this and that extensions will be missing, but this is configurable anyway, and would certainly make our security attempts more efficient.

I ask here for suggestions for the list of extensions we should be included in this "white list".

[Wiktor Walc]

I don't want to copy all the extensions from that site (for example): ​http://www.file-extensions.org/extensions/common so I'll just write which groups I consider as most important:

• Microsoft/Open Office documents
• documents of any other type (txt, rtf, pdf and so on)
• archives
• multimedia files (audio, images)

Extensions of this type should go into "files" group by default.

The question is how detailed the list might be. The more extensions we provide by default, the less users would have to adjust config file.

[Frederico Caldeira Knabben]

Replying to wwalc:

The question is how detailed the list might be. The more extensions we provide by default, the less users would have to adjust config file.

The more, the better, but we should not include things like .001 or .bib. Let's come with generic, but useful, things.

The important is not including security sensible things.

[Frederico Caldeira Knabben]

Your link was quite hand Wiktor. Here is a first proposal:

Document files

.doc   > Microsoft Office Word document
.ods   > OpenDocument Spreadsheet file
.pdf   > Portable document format: Adobe Acrobat File
.odt   > OpenOffice extension for word processing text documents
.ppt   > Microsoft Office PowerPoint Presentation file format
.pxd   > Microsoft Pocket Excel Spreadsheet
.rtf   > Rich Text Format document
.sdc   > StarOffice StarCalc Spreadsheet
.sxc   > OpenOffice.org 1.0 Spreadsheet file
.sxw   > OpenOffice.org Writer document
.vsd   > FlowChart; Visio Document
.xls   > Microsoft Office Excel spreadsheet

Archive and compressed files

.gz    > GZIP compressed archive file
.gzip  > GZIP compressed archive file
.rar   > RAR compressed archive
.sitd  > StuffIT archive format
.tar   > Unix standard Archive format, Tape Archive
.tgz   > Gzip compressed TAR Archive
.zip   > Compressed ZIP
.7z    > 7z is the compressed archive file

Audio and music files

.aiff  > Audio Interchange File Format
.mp3   > Compressed audio, music file
.mid   > MIDI-sequention sound

Image files

.bmp   > Windows bitmap image
.gif   > Graphics interchange file format
.jpg   > JPEG Image
.jpeg  > JPEG Image
.tif   > Tagged Image File Format (TIFF)
.tiff  > Tagged Image File Format (TIFF)
.png   > Portable (Public) Network Graphic

Data files

.csv   > Comma Separated Value file
.xml   > XML document	(? Not sure)

Text files

.txt   > Common text file

Additions? Exclusions?

[Wiktor Walc]

I digged through files on my computer and these also seems to be common:

Audio and music files
.mpc   > MusePack Audio file
.wav   > WAVe PCM Sound, standard Windows sound format
.wma   > Windows Media Audio

Flash:
.swf   > ShockWave Flash, Animated vector format for the Internet

There is one group I forgot about - video files (new group?).
.asf   > Advanced Streaming Format
.avi   > Audio Video Interleave movie
.mov   > Apple QuickTime Movie file, standard Macintosh video format
.mpg   > MPEG 1 video file format
.mpeg  > MPEG movie
.wmv   > Windows Media Video File

However video files are generally large, so don't know if they need to be on the list by default.

[Alfonso Martínez de Lizarrondo]

I think that people will ask about the support for video files, and I would add the .flv (flash video) to the pack.

[Frederico Caldeira Knabben]

I haven't included video files because of their usual large size, but there was no "for security" motivation for it, so we should include them.

I think we can go ahead compiling the list with our propositions, and move it to the code.

[Wiktor Walc]

Applied with [973] and [975].

ASP and CFM connectors had extended list of media files, so I included additional extensions found there: qt, ram, rm, rmi, rmvb.

I'm not closing it yet because I don't know if it has been applied also to .aspx (?).

[Frederico Caldeira Knabben]

Great job Wiktor!

ASP.NET is treated separately. We can close this one now.

[Alfonso Martínez de Lizarrondo]

Sorry for not reading it better the changeset before, but I don't think that some of the changes are right:

1. in the Image category the psd, tif and tiff extensions have been allowed, yes, they are images, but I don't think that they work without a plugin in any browser, so it seems strange that the users can upload a file from the image dialog and select it, but then it won't work.

2. I still don't know where the "Media" type is used in FCKeditor.

3. I've said this somewhere else, but allowing the use of .fla files in the flash dialog is pointless. Those .fla files are just the seed, the .c files of an .exe, and when you distribute a program you don't distribute the source. If you want to do it, you add them as "File" (and probably zipped with other stuff).

4. There is another bug about adding .flv and .as to the allowed extensions for flash, this could be the right time to change it (and I only mean to add .flv from the flash dialog as they will be used from a .swf movie and they need to be in the same folder unless it's specially coded)

5. (and last) the fckconfig.js file is lacking these changes, so the user might be able to start the upload but then get an error from the server saying that the extension isn't allowed and they have wasted some time waiting for the upload to finish.

[Wiktor Walc]

You are absolutely right, I agree.

2. just one thing - I think we could get a lot of questions from people wondering why Media folder disappeared

1,3,4. So to summarize:

• remove psd, tif, tiff from Images
• remove .fla from Flash
• add .as and .flv to Flash, Files

correct?

5. I definitely forgot about this. I wish it was possible to configure the whole FCKeditor using only one single file, that would be great :)

[Alfonso Martínez de Lizarrondo]

The media issue is just something that I wanted a little discussion about. In the current setup I don't think that it's used anywhere, so there are some questions about what's its use.

As soon as an "insert media" dialog is available, then it's obvious its utility, but for the moment I don't think that it's really useful, but this could be handled in another bug (#1430) to discuss it better as it isn't really related to the changes in this bug.

The fourth point from my point of view is only to add .flv, not the .as (due to the same reasons that 3)

Single file configuration: we can try to move to that approach little by little, I suggested in another bug that the server integration files should take care to configure the js paths for the file manager automatically.

Thanks Wiktor.

[Wiktor Walc]

Ok, fixed with [1041].

I've just noted that there is such a nice feature like spell checker in Eclipse :-) so I fixed also some typos in comments.