[Feature Request] MIME Check for file attachments

[vmario89]

Hey,

the attachments loading up get checked by file type but not by header (MIME). So you can upload .exe files and other things even they are restricted/forbidden in the settings. I think this can be a security problem because malicious files can be shared.

regards, Mario

[nuxsmin]

Hey, I have given some thought to this FR and despite it would be very useful and it will add more security, it would be a hassle when if gets implemented, since you will need to know every mime types which need to be allowed for uploading, eg. JSON file is application/json and so on: https://www.sitepoint.com/mime-types-complete-list/ (a really pain...)

What do you think?

[vmario89]

Hi nux,
i agree that's hard to implement a complete list because this alway changes. The counterquestion may be: does it make sense to check for file endings if at the end anything can be uploaded just by renaming? maybe it could be done by allowing just most common file types like zip/gz/rar/html/... - but i think that's a general question of what the users are going to upload here. i guess it will quickly raise up to 100 or 200 extensions.

By the way it is not possible to upload files without ending. I personally have many files without ending which just contain some notes. At least some option to ignore file endings (and maybe allow linux style files like .ssh - the thing with the dot) in general would be some feature for general use.

hmmmmm .. :-/

[nuxsmin]

Hi Mario, I agree with you, file extension is worthless, since mime type is the key point. I don't really know which would be the better approach, because a few mime types wouldn't be enough for some use cases and many of them would be a mess, but I don't mind to include the most used and let opened to set more and of course, skip the extension checking at all.

v3 is almost ready, this behavior will be the last added before RC stage.

Thanks for the feedback!

PS: I need to take some time to reply your email, but sysPass development makes me tired when the day ends and I just noticed that I didn't do it...

[nuxsmin]

Hello, mime type checking has been implemented in latest commit, so actually the only way to upload files is by setting the correct mime types. They can be added either through the UI or editing the mime.xml file.

Regards