Would be good to enable .kicad_mod, .sch, .pro and zips etc. to attach to posts.
Great point, I’ll add those to the allowed ones. Any others that make sense? .pretty?
.pretty is an extension added to a folder, there’s no way to upload it.
.lib for symbols of course, maybe .tar.gz .tar.xz and all the other
compressed archives. TBH you might as well enable uploading anything
and just set a file size limit. I don’t think it is that unsafe with a
small community like this when you have other good anti-SPAM measures.
If you don’t like that, is it set by MIME-type or just extension? All
the .lib and .kicad_mod are both MIME-type text/plain but a BOM
for instance might be text/csv or text/tab-seperated-values or
whatever the MIME is of Libreoffice and MS Office files. I would
recommend these at minimum:
text/*
image/*
application/pdf
application/postscript
application/zip
application/x-compressed-tar
application/x-xz-compressed-tar
application/x-bzip-compressed-tar
But you are effectively allowing any file as long as it’s compressed anyway.
I’ve seen the attempts at hacking of the very obscure and rarely used forums. “Small community” does mean absolutely nothing today, most of hacks are attempted by bots and not real people…
Sure, but I am not so confident allowing arbitrary files is really a big additional risk (as opposed to just allowing zips, images and text) and it can be a big annoyance when we have files to share that aren’t the right type.
I am most certainly too much of a geek but is it really so difficult to zip any file and send as a zip? Just one additional step, no big deal imho.
No its not difficult but it is annoying; especially if you start zipping single files just to get through the filter. But mostly what I was trying to say was that it doesn’t add anything in the way of security to disallow these files.
Nope, permissive security when you first allow everything and then disallow some “dangerous types” is a bad idea. You never know what can become dangerous tomorrow, there are new kinds of treats and such appearing literally daily…
The benefits outweigh the risks in this instance in my opinion.
you’ve never faced (successful) hacking attempts on your sites, right? 
How about this for a solution: I’ll turn on arbitrary uploads, but I’ll make it so that only people with a higher “rank” can upload them. Sound good?
I also assume that people will flag nasty looking files as well.
1 Like
That’s because he had joined 20 hours prior to trying to upload. I allowed anyone to upload any file, but there’s no way I’m taking away the “trust level” requirement, as that is there to keep out spammers and malware (which this guy was obviously not, but he also was brand new to the forum)
Ah yes I see. Just read this link you posted over there as well.
What trust level do you have to be do upload any file currently?
Anything above 0. As it says on that page. It takes about 5-10 minutes to get to that level.