Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Enable access to 'dangerous' files #3840

Closed
1 task done
Socob opened this issue Dec 24, 2019 · 5 comments
Closed
1 task done

Enable access to 'dangerous' files #3840

Socob opened this issue Dec 24, 2019 · 5 comments
Labels
Feature Request

Comments

@Socob
Copy link

Socob commented Dec 24, 2019

  • I have searched open and closed issues for duplicates

Bug Description

This is related to #2832, but more general.

It is not possible to save files (“attachments”) to the file system using Signal-Desktop if the file name ends in certain character strings. This is the case if the file name matches the regular expression in ts/util/isFileDangerous.ts:

Signal-Desktop/ts/util/isFileDangerous.ts

Lines 2 to 6 in 6b3328c

const DANGEROUS_FILE_TYPES = /\.(ADE|ADP|APK|BAT|CHM|CMD|COM|CPL|DLL|DMG|EXE|HTA|INS|ISP|JAR|JS|JSE|LIB|LNK|MDE|MSC|MSI|MSP|MST|NSH|PIF|SCR|SCT|SHB|SYS|VB|VBE|VBS|VXD|WSC|WSF|WSH|CAB)$/i;
export function isFileDangerous(fileName: string): boolean {
return DANGEROUS_FILE_TYPES.test(fileName);
}

The code that aborts the file download is

Signal-Desktop/js/views/conversation_view.js

Lines 1916 to 1925 in 6b3328c

const isDangerous = window.Signal.Util.isFileDangerous(fileName || '');
this.downloadAttachment({ attachment, timestamp, isDangerous });
},
downloadAttachment({ attachment, timestamp, isDangerous }) {
if (isDangerous) {
this.showToast(Whisper.DangerousFileTypeToast);
return;
}

This applies analogously for sending files using Signal-Desktop:

Signal-Desktop/js/views/conversation_view.js

Lines 1174 to 1177 in 6b3328c

if (window.Signal.Util.isFileDangerous(file.name)) {
this.showToast(Whisper.DangerousFileTypeToast);
return;
}

Steps to Reproduce

  1. Send a file (e.g. using Signal on Android) with a file name that ends in one of the options listed in

    Signal-Desktop/ts/util/isFileDangerous.ts

    Line 2 in 6b3328c

    const DANGEROUS_FILE_TYPES = /\.(ADE|ADP|APK|BAT|CHM|CMD|COM|CPL|DLL|DMG|EXE|HTA|INS|ISP|JAR|JS|JSE|LIB|LNK|MDE|MSC|MSI|MSP|MST|NSH|PIF|SCR|SCT|SHB|SYS|VB|VBE|VBS|VXD|WSC|WSF|WSH|CAB)$/i;
  2. Open the message/conversation using Signal-Desktop.
  3. Click on the “download attachment” button.

Actual Result:

The message

Attachment type not allowed for security reasons

is displayed.

Expected Result:

The user is prompted for a location to save the file to.

If there are concerns that some file names could have special meanings on some systems (e.g. resulting in code execution) and the developers feel that it is necessary to prevent creating files with these names, it would be preferable if the user could at least be prompted to choose a different name (instead of making it impossible to access the file altogether).

The response #2832 (comment)

Zip it up first, then you'll be able to send it.

is not applicable, because this also affects files that have already been received by Signal-Desktop, but are made impossible to actually access by the user. Resending the file with a different name may not always be possible (e.g. no network, large files, etc.).

Platform Info

Signal Version: v1.29.3

Operating System: Linux (Ubuntu)

Linked Device Version: v4.52.4
@scottnonnenberg-signal scottnonnenberg-signal changed the title Impossible to save or send files with certain names Enable access to 'dangerous' files Jan 6, 2020
@OdinVex
Copy link

OdinVex commented Jun 11, 2020

Wonder why they don't consider shell scripts dangerous. return false; Problem solved.

@noonien
Copy link

noonien commented Aug 23, 2021

Any update on this? I send files with these extensions to work colleagues. I currently have to rename the files to not have those extensions, then they have to rename them back.

This isn't really a secure way of stopping malware from being sent.

Maybe add an option to be able to disable this? Either globally or per user.

@OdinVex
Copy link

OdinVex commented Aug 23, 2021

Any update on this? I send files with these extensions to work colleagues. I currently have to rename the files to not have those extensions, then they have to rename them back.

This isn't really a secure way of stopping malware from being sent.

Maybe add an option to be able to disable this? Either globally or per user.

They've made it clear that they think they know better than their users, much like how Microsoft and Google and Apple dumb things down so much that there is no more control over software, enabling them to decide things for you. I simply run a shell script that patches the return value for the function that checks file extensions.

@josh-signal josh-signal mentioned this issue Sep 29, 2021
Closed
@noonien
Copy link

noonien commented Sep 30, 2021

This is not a feature, this is a bug.

@ghost
Copy link

ghost commented Jun 8, 2024

@Socob @noonien Patch available here (Linux only though).

@FXZFun FXZFun mentioned this issue Jul 15, 2024
Closed
7 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Feature Request
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Allow file attachments of any type FXZFun/Signal-Desktop
5 participants
@noonien @Socob @scottnonnenberg-signal @automated-signal @OdinVex