Additional extensions for files to be attached to issues

Hijacking your issue because this has been bugging me lately. :)

In addition to the .test for the OP, could we have .inc added? Getting tired of having to add a .txt to the end of it.

Thanks,

Michelle

Allowing to attach a file with extension inc seems a reasonable request, to me.

As both the extensions are used for development files, I think it would be good to have them added. Also, files with those extensions are harmless, for a computer; I mean that an OS doesn't try to execute them, normally.

+1 from me.

Does anybody else have a thought about this?
As Drupal.org is a site for developers, it should at least allow to use those extensions that are normally used for PHP code (especially from Drupal).

I guess somebody needs to add these.

I am willing to help in such tasks; there are other feature requests that needs a user to change the settings (such as the ones about the tags allowed in a input format), and I can accomplish such tasks.

What needs to happen here is someone needs to audit and test how various httpds and browsers handle these file extensions. The scary thing about allowing new file extensions in uploads is that in some combinations, the new extensions can be automatically loaded and evaluated, leading to XSS or code execution vulnerabilities. So, if you want direct .test and .inc uploads, you have to show that they're safe. Thanks!

I made some simple tests on Mac OS X, and Windows.

• I have taken a JavaScript file, an HTML file linked to some JavaScript files, and an executable.
• I changed the extension of the file to .inc first, and then to .test.
• I have attached the files to a book page, and clicked on the links reported at the bottom of the page.
• As result, no code has not been executed.

It's not clear to me if we would be worried if something would happen in the client side, or the server side.
If something weird would happen at server side, then it would be a bug in Drupal code, and I am sure it should have been already discovered (as I am sure that the proposed extensions don't activate a dormant bug in Drupal code); if we would be worried about something weird happening on client side, then the default extensions would not allow to attach a .doc or a .xls file, considering that those files can contain malicious code in the included macros.

Looking at the allowed extensions, I notice that the extension .test is already allowed. Does that extension create less problems than the extension inc?

Closing old, stale issues as part of the webmaster's clean-up spring of DrupalCon Prague.