ZIP files

[Marc75]

I was able to upload a zip file. Are we doing any virus checking?

[nicolaasmatthijs]

Assigning to @simong to get some feedback on whether or not this is necessary

[micheleidesmith]

I will create a task for us to confirm with the Services Team what we plan to do with zip files.

[simong]

FWIW,

No, we're not doing any virus checking. From a technical standpoint, the servers are probably "safe" as those files get explicitly marked as non-executable and code that uses any of those files has been reviewed fairly extensively. From a UX/policy perspective though, we should probably do something in this area. Especially if we're going to take the repository-route and will be offering download functionality for user-uploaded files.

[micheleidesmith]

I think we should do something to protect Philip and, longer-term, people accessing the user-uploaded files. Philip was concerned that his computer could get a virus as it has happened a couple of times to him previously (but I didn't gather if that was from people inside the University, or outside). What are the options? Ideally, from a UX perspective, we should detect during upload and warn the user, and not allow the folder to be uploaded.

[simong]

We could bring in ClamScan which is widely used for scanning email attachments. We could then use it to scan user-uploaded files and profile pictures.

[micheleidesmith]

I think we should prevent people from being able to upload zip files and then virus checking would only be an issue for Word file.

@Coenego has done quite a lot of work on this already. To be discussed with @bp323 to decide if we should continue with implementation.

[bertpareyn]

@Coenego could you assess how much work is still needed here and attach your code to the issue?

[Coenego]

As far as I remember the whole thing still needed to be puppetised and we need to do something with the files considered to be dangerous. All the code I wrote is available on https://github.com/Coenego/Hilary/tree/avocet-antivirus.