Re: Please add .UNF extension to the list of allowed files
Posted: Thu May 03, 2018 4:10 pm
I'd worry about allowing html/xhtml permitting XSS attacks. (I don't know that it would, it's just the obvious failure mode)
NES Development and Strangulation Records message boards
Ah, but who allowed .php in the first place?koitsu wrote:I shouldn't have to state stuff like this.
Yes, that's what I was disappointed about. The friction of un-zipping propagates also to each person who wants to download it too.tepples wrote:You can still upload Lua scripts. Just zip them up first
I understand that part. Whatever you feel is necessary to protect the server is fine. I don't know anything about what your server's configuration looks like, so I'm in no position to tell you what's safe for the server, but as an end user I'm still disappointed that something I liked using (both up and down) is being removed.tepples wrote:so that they don't accidentally get executed on the server.
I think the server infrastructure changed between then and now (including the webserver, IIRC; it used to be Apache, now it's nginx, and I think there's a reverse proxy involved now). What I knew to be true then I don't think is true now.rainwarrior wrote:Ah, but who allowed .php in the first place? ;)koitsu wrote:I shouldn't have to state stuff like this.
https://forums.nesdev.com/viewtopic.php ... 34#p127134
Code: Select all
$ curl -s -v 'http://forums.nesdev.com/download/file.php?id=10609' * Trying 18.104.22.168... * TCP_NODELAY set * Connected to forums.nesdev.com (22.214.171.124) port 80 (#0) > GET /download/file.php?id=10609 HTTP/1.1 > Host: forums.nesdev.com > User-Agent: curl/7.59.0 > Accept: */* > < HTTP/1.1 200 OK < Server: nginx < Date: Sat, 05 May 2018 03:28:01 GMT < Content-Type: application/octet-stream < Content-Length: 284 < Connection: keep-alive < Keep-Alive: timeout=60 < X-Powered-By: PHP/5.5.9-1ubuntu4.20 < Set-Cookie: XXX < Set-Cookie: XXX < Set-Cookie: XXX < Pragma: public < Content-Disposition: attachment; filename*=UTF-8''700-in.1_32kib.zip < Last-Modified: Tue, 31 Oct 2017 22:49:03 GMT < * Failed writing body (0 != 284) * stopped the pause stream! * Closing connection 0
Out of idle curiousity (not anything actionable), do any of the python scripts you've uploaded show up in the Manage attachments list?rainwarrior wrote:It's a bit frustrating to have content you uploaded to the BBS for archival purposes suddenly effectively "deleted" with no identifying reference...
Ah, yes they do. At least there's a list of my own posts I can access then. (...and yeah, can see the filename and thread but can't download.) I thought I'd uploaded more lua scripts than python, but apparently it's the other way around.lidnariq wrote:Out of idle curiousity (not anything actionable), do any of the python scripts you've uploaded show up in the Manage attachments list?rainwarrior wrote:It's a bit frustrating to have content you uploaded to the BBS for archival purposes suddenly effectively "deleted" with no identifying reference...
You can decide how and whether to work on this. I'd volunteer to help, if I could, but I don't think I can really do much about it as a non-administrator. (If there is work I can do to facilitate this, though, let me know.)tepples wrote:...am I now expected to (solve this problem)