ability to blacklist certain types of files (eg. swf)

[mattab]

The goal of this issue is to add a blacklist of filetypes, that should not be mirrored in the github issues mirror. We could set the default blacklist to swf to exclude flash files from being synched.

Why? this is a security improvement. We received this report:

Hello.
I am to founded xss in subdomain of piwik.org
http://issues.piwik.org/attachments/1199/swelen_dateslider.swf?instance=alert(document.domain))}catch(e){}//
with best regards,
Sergey Markov

blacklisting some file types would help minimise such XSS vulnerability.

[Findus23]

Is this still relevant? I haven't found a line that allows the mirroring of attachments. Am I overlooking something?

[tsteur]

Unfortunately I don't really remember. I think this was actually when we migrated from Trac to Github and we synced/copied the attachments from Trac to make sure we still have them but I may be wrong.

[mattab]

Yes it is still relevant, would like to blacklist file extensions especially Flash SWF because it can be used to trigger an XSS currently.

[Findus23]

Hi, I understand why swf files should be excluded, but I don't know where the attachments come from as I haven't found a corresponding piece of code.

[tsteur]

Yep I don't think we download any attachment. As far as I know we only kept some attachments from Trac but not 1000% sure :)

[Findus23]

https://issues.piwik.org/1199 links to them so I guess I’ll just remove any link in the form of /attachments/*.swf

[mattab]

👍

[Findus23]

Fixed in 6a3167d (#10)

Keep in mind that a XSS is still possible as long as people can upload random HTML files.

But as this only seems to display old files, that shouldn't be a problem.