Files allowed -- Blacklist instead of Whitelist?

by **Graiford** » Fri Mar 16, 2007 7:23 pm

Just a suggestion, the new 0.7.6 Uniadmin has a whitelist of files that's tending to cause issues either uploading / processing addons. It may be more beneficial to have a blacklist for types of files that CAN'T be uploaded instead of a whitelist of files that CAN be uploaded.

Again, this is just a suggestion. If anyone has a good work-around or significant concern as to otherwise, please let me know.

by **zanix** » Sat Mar 17, 2007 2:30 am

It has been decided in a long security related thread that a white list is the way to go

by **Graiford** » Tue Mar 20, 2007 11:26 pm

hmmm, ok. Is there any way the enduser can turn that off then? I can't really see going through every zip file and figuring out all the file extensions.

by **zanix** » Wed Mar 21, 2007 7:53 am

I'm changing this to a blacklist for 0.7.7

As of right now, there isn't a way to turn this off without editing code

include/uniadmin.php

Find

Code: Select all: $list = $archive->extract(PCLZIP_OPT_PATH, $path, PCLZIP_CB_PRE_EXTRACT, 'pclzip_pre_extract');

Replace with

Code: Select all: $list = $archive->extract(PCLZIP_OPT_PATH, $path);

by **MattM** » Fri Mar 23, 2007 7:26 am

i thought we were going with a whitelist

by **zanix** » Fri Mar 23, 2007 9:04 am

I dunno if that is a good idea
The problem is keeping UA and UU's lists sync'ed

by **MattM** » Sun Mar 25, 2007 10:47 pm

its decided then, we will use blacklists

by **ScratchMonkey** » Wed Mar 28, 2007 7:22 am

A whitelist is as trustable as the website you're downloading from. Do you trust your GM?

I'd prefer to know exactly what files are being blocked so that GM's can more easily maintain their whitelist.

by **MattM** » Wed Mar 28, 2007 11:09 am

If uu detects a filetype in the blacklist, it will say so in the debug log.

UU/UA blacklist is a SMALL securety measure compared to anything you can "trust"

It is true, if there are guildies that dont "trust" the person distributing these tools/services then there is a serious problem, a problem not concerning the developers of these tools.

We do as much as possible for the good of the community as far as these tools go, but we can't develop trust between anyone and anyone else.

what more can we do...

by **ScratchMonkey** » Wed Mar 28, 2007 12:14 pm

Agreed.

Note that "trust" in this sense isn't about good or bad will, but about knowledge of threats. I wouldn't trust my mother in this sense. She wouldn't have the first clue about what constitutes a threat. A guild that deploys software over the web would do well to recruit not just a good tank and a good healer, but a good security-minded IT person as well. It's important not to agro the crackers!

by **MattM** » Wed Mar 28, 2007 9:38 pm

very good point. The IT guy could then reassure the guildies that everything is fine, after investigating everything.

by **gorgeth** » Thu Mar 29, 2007 7:19 am

zanix wrote:I'm changing this to a blacklist for 0.7.7

As of right now, there isn't a way to turn this off without editing code

include/uniadmin.php

Find
Code: Select all
$list = $archive->extract(PCLZIP_OPT_PATH, $path, PCLZIP_CB_PRE_EXTRACT, 'pclzip_pre_extract');

Replace with
Code: Select all
$list = $archive->extract(PCLZIP_OPT_PATH, $path);

This is a nice fix for UA, but UU now will choke on the DL of anything that would have choked UA pre-fix...

Any chance of getting a UU build that works with UA so that mods with 2 periods in a directory name etc can actually be downloaded?

by **MattM** » Thu Mar 29, 2007 10:56 am

too tired, unable to understand

by **Shadowsong** » Fri Mar 30, 2007 5:05 am

yea thats the point... where can I modify the blacklist filetype?

Need it really badly for my cartographer :neutral:

by **foreseit** » Thu May 24, 2007 9:58 pm

You can modify the include/constants.php file. Do a search for "'UA_ADDON_BLACKLIST" and delete out the conflicts with cartographer.