Drupal.org
Issues

Additional extensions for files to be attached to issues

Posted by geodaniel on December 27, 2007 at 7:20pm
Project:Drupal.org webmasters
Component:Other
Category:feature request
Priority:normal
Assigned:Unassigned
Status:active

Issue Summary

I'm trying to add a .test file for the CustomError module and I'm being warned that I can't attach files with a .test extension. Please could that be added as an allowed extension?

Login or register to post comments

Comments

#1

Posted by geodaniel on December 27, 2007 at 7:21pm
Project:Test driven development infrastructure» Drupal.org webmasters
Component:Miscellaneous» Other

#2

Posted by Michelle on December 27, 2007 at 10:52pm
Title:Allow .test files to be attached to issues» Additional extensions for files to be attached to issues

Hijacking your issue because this has been bugging me lately. :)

In addition to the .test for the OP, could we have .inc added? Getting tired of having to add a .txt to the end of it.

Thanks,

Michelle

#3

Posted by kiamlaluno on November 8, 2009 at 1:34pm
Category:support request» feature request

Allowing to attach a file with extension inc seems a reasonable request, to me.

As both the extensions are used for development files, I think it would be good to have them added. Also, files with those extensions are harmless, for a computer; I mean that an OS doesn't try to execute them, normally.

+1 from me.

#4

Posted by kiamlaluno on January 31, 2010 at 12:31am

Does anybody else have a thought about this?
As Drupal.org is a site for developers, it should at least allow to use those extensions that are normally used for PHP code (especially from Drupal).

#5

Posted by Gerhard Killesreiter on January 31, 2010 at 9:57am

I guess somebody needs to add these.

#6

Posted by kiamlaluno on February 1, 2010 at 7:13am

I am willing to help in such tasks; there are other feature requests that needs a user to change the settings (such as the ones about the tags allowed in a input format), and I can accomplish such tasks.

#7

Posted by dww on February 1, 2010 at 8:20am

What needs to happen here is someone needs to audit and test how various httpds and browsers handle these file extensions. The scary thing about allowing new file extensions in uploads is that in some combinations, the new extensions can be automatically loaded and evaluated, leading to XSS or code execution vulnerabilities. So, if you want direct .test and .inc uploads, you have to show that they're safe. Thanks!

#8

Posted by kiamlaluno on February 3, 2010 at 10:04pm

I made some simple tests on Mac OS X, and Windows.

  • I have taken a JavaScript file, an HTML file linked to some JavaScript files, and an executable.
  • I changed the extension of the file to .inc first, and then to .test.
  • I have attached the files to a book page, and clicked on the links reported at the bottom of the page.
  • As result, no code has not been executed.

It's not clear to me if we would be worried if something would happen in the client side, or the server side.
If something weird would happen at server side, then it would be a bug in Drupal code, and I am sure it should have been already discovered (as I am sure that the proposed extensions don't activate a dormant bug in Drupal code); if we would be worried about something weird happening on client side, then the default extensions would not allow to attach a .doc or a .xls file, considering that those files can contain malicious code in the included macros.

Looking at the allowed extensions, I notice that the extension .test is already allowed. Does that extension create less problems than the extension inc?

nobody click here