Allow all file types in PM's

[jackall108]

Hello MCM. Recently, I was doing business on here involving the sale of a plugin. However, I had to zip it, then upload it, because PM's don't allow .jars. I personally think this is kind of silly, and should be removed for best possible user experience. Thanks!

 

[Lockheed]

They can't for security reasons

 

[jackall108]

They can't for security reasons

Such as...?

 

[Samuel]

Such as...?

virus.exe
Scratch that - if we're allowing .zip, then there should be no other restrictions.

 

[Yue]

Good idea

 

[Zyger]

Why not just upload it onto google drive, and link the download?

 

[jackall108]

Why not just upload it onto google drive, and link the download?

Once again, I am thinking about overall user experience. I think this would just make the whole thing easier. We can upload any files anyway with .zip, it's kind of pointless not to allow it.

 

[4thOfJuly]

It's perfect if they wanna get their website backdoored.

 

[BOOP]

When a user uploads a file - it is hosted on the server that hosts mcm.
The file could be an exe or something of the sort and could run when it reaches the server, and download a backdoor.

Allowing the person sending the file to have access to MCM.

Although, I have no experience in this, so I could be wrong.
And I'd assume there would be something in place in case something like that happened anyways.

 

[4thOfJuly]

When a user uploads a file - it is hosted on the server that hosts mcm.
The file could be an exe or something of the sort and could run when it reaches the server, and download a backdoor.

Allowing the person sending the file to have access to MCM.

Although, I have no experience in this, so I could be wrong.
And I'd assume there would be something in place in case something like that happened anyways.

Almost right, people could upload PHP files with a script within them, that allows for backdoor connections. It could destroy the entire website

 

[BOOP]

Almost right, people could upload PHP files with a script within them, that allows for backdoor connections. It could destroy the entire website

So I was kinda right...I guess.

 

[Ivain]

I dont see how allowing .zip files means any filetype should be allowed. .zip cannot execute by itself, as far as I know, you need to unpack it first for any scripts to become active.

 

[Lyphiard]

Almost right, people could upload PHP files with a script within them, that allows for backdoor connections. It could destroy the entire website

No it can't. Files are uploaded to a secured directly and are downloaded through to the client in a manner such that code won't be able to run.

The main issue is that (as far as I know) these attachment extensions aren't just limited to conversations. If we want to, say, enable the uploading of .jar files for conversations, we would need to enable them site-wide. People could easily post a thread with a malicious file and others can get infected with a virus easily.

However, I think that with some careful consideration, there may be some other file extensions that can be added.

 

[Lockheed]

So lets stay with .zip and .rar we'll be safe, close the thread.

 

[matthewp]

Just use a external site? If you have webhosting upload them to a folder then give someone the link?

If they allowed all uploads on MCM they could upload malicious files, but it doesn't stop them from doing it externally either.

 

[subbotted]

When a user uploads a file - it is hosted on the server that hosts mcm.
The file could be an exe or something of the sort and could run when it reaches the server, and download a backdoor.

Allowing the person sending the file to have access to MCM.

Although, I have no experience in this, so I could be wrong.
And I'd assume there would be something in place in case something like that happened anyways.

Almost right, people could upload PHP files with a script within them, that allows for backdoor connections. It could destroy the entire website

Just use a external site? If you have webhosting upload them to a folder then give someone the link?

If they allowed all uploads on MCM they could upload malicious files, but it doesn't stop them from doing it externally either.

Resources allow all file extensions (I think) so I don't see why not? You could upload a obfuscated rat to resources that a resource mod cant check (because its obfuscated) so this can happen anyway.

 

[Ivain]

Resources allow all file extensions (I think) so I don't see why not? You could upload a obfuscated rat to resources that a resource mod cant check (because its obfuscated) so this can happen anyway.

With the enormous difference that in the case of resources, it DOES first need to pass the resource mod. Which makes it a lot more difficult. Whereas in PM's, there is 0 check for the person.

Also, I believe some people were making the point that there might be filetypes that execute as soon as you click them. If this was a thing in resources, Justis's PC would be fucked up (assuming it got past his Pc security), but that would be it. In PM's, you could potentially fuck up hundreds of people before being banned.

 

[matthewp]

If zips or rars are allowed can't people just zip a jar and any other files?

 

[ArTiste7]

Hello MCM. Recently, I was doing business on here involving the sale of a plugin. However, I had to zip it, then upload it, because PM's don't allow .jars. I personally think this is kind of silly, and should be removed for best possible user experience. Thanks!

Nicee

 

[IIFlashII]

Could we move this into the declined section now? So more important suggestions can be seen? Because clearly it's a no due to security reasons.