I have a system where users can upload, well, anything really - and these files are available to other users.
I need to come up with a list of file types that are genuinely needed by professionals in different industries that are safe from hacking/viruses, etc.
.doc .docx .gif .jpg .jpeg .mpg .mpeg .mp3 .odt .odp .ods .pdf .ppt .pptx .tif .tiff .txt .xls .xlsx .wav
What other file types do you know of that are both useful and safe?
Clarification
Many of the comments and responses are asking for a clearer definition of 'safe from hacking/viruses' - I ask the question with precisely that level of detail because I don't have as sophisticated an understanding of file types and their risks as many of you do, and I would like guidance on 1) any file types that may keep my site more secure, and 2) if there are no 'safe' file types then any advice on how to move forward with a system that allows for flexible uploading and sharing of files.
If indeed any malicious file can be packaged as a seemingly-safe file, how can I protect my users?
No filetype is safe if the program you use to open it with is badly (or carelessly or evil-y) written.
You can't assume that all files with a given extension is safe from 'viruses'.
I can easily rename a malicious executable to .doc and 'hack' your system.
EDIT:
There is no (simple?) way to check whether a user-uploaded file is malicious or not.
The app that you're creating is no different than any other file sharing websites out there (Rapidshare, Megaupload, etc).
There is nothing stopping anyone to upload malicious files to those websites.
Safe files does not exists. The ordinary text file is safe? For example with content:
format c:
if some program can execute a content of the file... you get the idea.
So, here are not safe files - only restrictions to RUN code (programs). (And I understand if this answer does not like.) :)
For "useful" you'll need to ask your customers.
For safe, there's no such thing because a file extension is just a part of the file name that gives a suggestion of what type of file it is. It need not accurately represent the type, and is easily manipulated.
Rather than protecting based on file type. I would get a 3rd party to virus scan each file on upload. Reject those which are identified as positive.
The list is pretty endless! A quick search finds http://filext.com/alphalist.php?extstart=^A
Well you can include all data files and exlude all executable/script files.
One list of executable file extensions is here: http://pcsupport.about.com/od/tipstricks/a/execfileext.htm
you may look other sources to inprove coverage.
Edit: for second part of the question addressing sequrity-
It would be best to have bunch of anti malware software installed on the server to check each sumbission - they are designed for this specialized task, use them. Anyways no executable file is professionaly useful as long as people are not looking for crackware.
Related
I am working on an App, in which I want to upload images and pdf to the FTP server. I am using this reference ref.All is working good. The images and pdf are getting uploaded on the server with proper names and sizes.
But, now I want to check if the directory is already exists on the server or not. I am not able to get it to work with this library.
So my question is that how to check directory on ftp,if directory is there then upload the files if not then first create directory on ftp and then upload files onto that directory?
Any Ideas.. ? Any help will be appreciated.
Different FTP servers will answer the LIST request in differing ways, so there is no single answer to this question. RFC959 says on the matter:
Since the information on a file may vary widely from system
to system, this information may be hard to use automatically
in a program, but may be quite useful to a human user.
Using the CWD request to change into the directory in question, and detecting a successful response will detect the directory, however that leaves you in that directory as a potentially unrequired side effect.
For these reasons, as well as others, you may find more modern protocols such as SSH (which includes a file transfer feature) to be more useful. You may find the DLSFTPClient CocoaPod useful.
M.
i have an iOS App which loads and .txt file from app's root. If i use iFunBox or any iPhone Browsers i can see that .txt file, how can I hide it? I think it's all about security of this file, encode/decode. Please help me. Any advice, source codes, examples. I'm new here. thanks
The short answer: You can't
The long answer: No matter what you do, you will end up having a copy of the decrypted contents in memory at some point so a crafty cracker will be able to copy the contents out of memory. The best you can do is make it not worth their trouble. This includes using pure C, never storing the contents in one variable (always concat, etc), and encrypting the file with an industry standard encryption like AES-256. Good luck.
I'm not sure that it is possible to protect the file any more than what apple already does. Even if you could, I don't think It would really be worth your trouble to do so unless the .txt file is something that you really need to protect.
I can use:
#+INCLUDE:
to include an org file in another org file, which allows me to assemble, say, a website from various org files. I'm exporting from the C-c C-e exporter in org-mode 7.5.
I could maintain a quite complex publication this way. This modular approach is quite common in, e.g. LaTeX and Texinfo publications.
However, links to images no longer work from the #+INCLUDEd org files. What seems to be happening is that the path to the images is taken as being from the org file that I am exporting from, rather than the actual org file that references the image.
The only ways I can see to resolve this are to:
use a flat file structure; or
make the image path from the referencing file (which I might not know in advance) rather than itself.
Neither of these is really sustainable.
How do I tell org to use the correct image path from its own relevant org file rather than the parent org file?
From what I know of the exporter, INCLUDE files are inserted into the document before export. Therefore the content is part of the document before it starts following paths to reach any links to files (images).
After a bit of testing you likely will need to use absolute file paths. Since you move between Windows and Linux your best bet would be to use a consistent scheme on both starting from your home directory.
Like that you can make the Org link:
[[~/path/to/image.jpg]], which will work on both systems (assuming you have set %HOME% on Windows).
Option 1 is potentially an alternative (although I agree it wouldn't be ideal at all), whereas the second option would have obvious pitfalls if you INCLUDE the file in more than one future document.
I need to upload multiple files on my website.
But I need not just a form for uploading multiple files, I need to upload whole directories.
How's this possible for the minimalist?
Yours, Joern.
According to my somewhat limited knowledge this is not possible, only file transfer is possible, not directories.
Here are some workarounds, based on discussion on Velocity Reviews and another discussion:
upload a zip, which you unzip at the server side
upload directories over ftp (web page can be a front end to this)
upload files one by one
I would go either for zip or ftp. Note: someone might have produced a gem that enables uploading directories (I know nothing of such thing, but I will be happy to find out, if there is).
Adding another option to the list provided by Sorrow:
upload via REST/JSON
OK, this is a partial solution, but it does give you the opportunity to write a script that reads your directory and POSTS to your website.
Windows Live Messenger creates a number of files like
C:\Users\USERNAME\AppData\Local\Microsoft\Windows Live Contacts{ae86acef-5a45-4447-bc32-521fc9289e1a}\DBStore\contacts.edb
and stores contacts within. When looking on such files, it is obviouos that they have strict structure. However, I failed to find the description of contacts.edb structure in internet.
Does anybody knows this structure? Or maybe there are some parser sources available? (I do not need a exe for that, I know about NirSoft one).
There is a project called libesedb which might be of use here.
The contacts.edb file is an ESEBD file.