Open Marc75 opened 10 years ago
Assigning to @simong to get some feedback on whether or not this is necessary
I will create a task for us to confirm with the Services Team what we plan to do with zip files.
FWIW,
No, we're not doing any virus checking. From a technical standpoint, the servers are probably "safe" as those files get explicitly marked as non-executable and code that uses any of those files has been reviewed fairly extensively. From a UX/policy perspective though, we should probably do something in this area. Especially if we're going to take the repository-route and will be offering download functionality for user-uploaded files.
I think we should do something to protect Philip and, longer-term, people accessing the user-uploaded files. Philip was concerned that his computer could get a virus as it has happened a couple of times to him previously (but I didn't gather if that was from people inside the University, or outside). What are the options? Ideally, from a UX perspective, we should detect during upload and warn the user, and not allow the folder to be uploaded.
We could bring in ClamScan which is widely used for scanning email attachments. We could then use it to scan user-uploaded files and profile pictures.
I think we should prevent people from being able to upload zip files and then virus checking would only be an issue for Word file.
@Coenego has done quite a lot of work on this already. To be discussed with @bp323 to decide if we should continue with implementation.
@Coenego could you assess how much work is still needed here and attach your code to the issue?
As far as I remember the whole thing still needed to be puppetised and we need to do something with the files considered to be dangerous. All the code I wrote is available on https://github.com/Coenego/Hilary/tree/avocet-antivirus.
I was able to upload a zip file. Are we doing any virus checking?