Feature Request - Improve File Storing / Uploading

davesmith87

I wanted to document any local gpedit settings that maybe setup on a device, using rsop.

I ran the following command to document to a .html file.

Then attempted to upload to IT Flow and found out .html files are not supported.

Kindly requesting .htm and .html files to be supported file types to upload.

Yes, I know I could .zip them up but it seems like that should be an unnecessary step.

gpresult /h C:\Temp\RSoPReport.html

JosephWithCOR

davesmith87 Yes, I know I could .zip them up

@litechforce He knows.

I understand the desire to reduce click count. To remove steps. For this reason I LOVED my old palm handspring.

But in this case making a zip file of 'unsupported' file type / extensions is an extra step (yes) AND an extra layer of protection for you or your client if you are sharing documents. When the file is downloaded to your computer, it will be virus scanned before it could ever be opened and potentially infect.

Its the same logic behind uploading a .vbs, or .js, or .ps1.

If @davesmith87 is working in powershell, the output could be piped through Compress-Archive (something I learned while typing this response).

magixnetworks

Uploading a HTML file in theory would be fine but when you try to download it the web server is going to treat it as exactly what it is.. a HTML file which it will then process as such. Put some malicious code into that HTML file and you have an exploit waiting to happen.

johnny

exactly that @magixnetworks

@davesmith87 deff no html htm js php files maybe best bet to print it to a pdf then upload the pdf instead as a better alternative

Bigbug

How about this?

1. Strip Extensions: Store files without extensions; save original names and extensions in the database.

2. Unique Filenames: Use unique IDs to avoid collisions. (I think that's a thing already, no?)

3. Controlled Downloads: Re-append extensions during download and force file downloads using headers.

4. Restrict Access: Block direct access to storage directories in web server configs.

5. Set Permissions: Use chmod 644 and remove execute permissions.

6. Disable Directory Listing: Use Options -Indexes (Apache) or autoindex off; (Nginx).

7. Validate Uploads: Check MIME types to prevent malicious files.

This method prevents accidental execution and unauthorized access.

johnny

@Bigbug love the improvements you suggested

we added this to the task list.

https://tasks.dev.itflow.org/task_details.php?task_id=116

This would eliminate the need to check file extension before upload hence giving the user full range on what to upload.

wrongecho

This will 100% result in a security issue in the future. Mark my words.

mikeie

wrongecho same from me

Bigbug

wrongecho Marked 🙂

johnny

This obviously needs more research before Implementation of any sorts

litechforce

What if upon upload, the file is zipped? The extension wouldn't matter, as it would be a zip file. When the file is downloaded, there could be a pop-up modal that the person has to agree to before downloading the file.

wrongecho

I wonder if we can maintain the current 'supported' file types (with maybe still the idea of allowing them to be configurable), but if a file-type we don't like/support is uploaded then PHP zips it on the fly? I haven't looked into how technically possible it is, but it looks like PHP has a zip extension.