Closed Bug 1006721 Opened 11 years ago Closed 10 years ago

Restrict attachment types on bugzilla.mozilla.org

Categories

(bugzilla.mozilla.org :: Administration, task)

Product:
bugzilla.mozilla.org
Component:
Administration
Version:
Production
Platform:
x86_64
Linux
Type:
task
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: benjamin, Unassigned)

Details

I've seen recently several bugs filed by unknown users with a random attachment, often word docs, excel spreadsheets, or other attachments that might be executable or have virus payloads. Bug 1006712 most recently. Have we considered restricting the type of attachments people can upload? Perhaps have a type blacklist or even whitelist for users without "canconfirm". Also, do we virus-scan attachments on the server?
I don't think we do virus scanning on the server. I think a whitelist or blacklist could be implemented in the BMO extension. If we can and will do that, the summary of this bug should be reflected to indicate that, else this bug should be closed as WONTFIX. I pass the buck up to :mcote. Do we want to have a blacklist of "bad" attachment mimetypes? My vote is no.
Flags: needinfo?(mcote)
I don't think we want to blacklist or whitelist types mainly because they can be easily changed. Rather, unknown, possibly dangerous attachments should just be deleted by an admin. As for scanning for viruses, perhaps we could catch some, but we couldn't guarantee catching all of them, so we wouldn't necessarily be really any better off. It would also be a fair bit of work. Perhaps we could entertain it if this is a big enough problem though.
Status: NEW → RESOLVED
Closed: 10 years ago
Flags: needinfo?(mcote)
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.