So it came to my attention today that by default (or at least here on Meta) there are a few major file types missing from the upload option. It would be great if the default (and Meta) allowed users to upload file types such as Word Docs, Excel Sheets, PDFs, etc. as these are the most likely files users would want to upload.
Below are the options on our own instance which I am fairly confident have not been changed - this is extremely restrictive.
Those would be potential security exploits if enabled globally. I suggest just enabling what you need on your instance as you see fit.
How much of a security risk do you think adding pdf extensions would be?
High. Do users regularly need to upload PDFs?
No, I don’t allow file uploads either. I was just checking best practices.
@codinghorror - would the plugin at https://meta.discourse.org/t/google-docs-onebox-for-discourse/26247/29 have the same security implications since the files are stored on Google Drive? I wouldn’t think so, but figured I’d check with you before I brought the idea to Bill…
Google Drive has a virus scanning policy which reduces the risks:
Virus scanning: Google Drive scans a file for viruses before the file is downloaded or shared. If a virus is detected, users can’t share the file with others, send the infected file via email, or convert it to a Google Doc, Sheet, or Slide, and they’ll receive a warning if they attempt these operations. The owner can download the virus-infected file, but only after acknowledging the risk of doing so.
Only files smaller than 25 MB can be scanned for viruses. For larger files, a warning is displayed saying that the file can’t be scanned.
これは5年も前の話ですが、私の質問は依然として関連性があると思います。PDFのアップロードを許可することによるセキュリティ上のリスクや問題は何か、教えていただけますか?
現代の PDF クライアントでは、通常は比較的安全です。
現在の Firefox にはネイティブレンダラーが搭載されており、リスクをさらに低減しています。
とはいえ、Discourse フォーラムの大部分ではこれを有効にする必要はないと考えられます。そのため、現在設定されているデフォルト値で問題ないと考えます。