Chris Down wrote:
I pointed this out at VP a few months ago when it was
proposed that we
virus-scanned incoming files - as far as I am aware, nothing is checked when
uploading.
Could be wrong, but that's how I remember the conversation going.
- Chris
The file type is scanned.
Also, I run a bot doing stricter checks on the file contents for all
commons uploads (could extend to other projects if you want).
It could also pass a virus scan but I don't think it's really needed.
Virus scanners mainly look for known bad code, inside executables. We
don't want any kind of executable.
On Fri, Feb 20, 2009 at 4:24 PM, David Gerard
<dgerard(a)gmail.com> wrote:
>
http://www.infoworld.com/article/09/02/20/Adobe_flaw_heightens_risk_of_enco…
>
> Do we sanitise PDFs at all? Do we check for wacky "active" features in a
> PDF?
>
> - d.
It isn't too specific, so would be hard to detect.
What we could do is to reject pdfs containing javascript. An unneeded
feature IMHO. It has been used more as attack vector than legitimately.
Do you know of a tool which could detect that?
I don't think pdfinfo provides that.
In any case, pdfs don't stay too much. They are a headache for a
different reason. About 99% pdf uploads really shouldn't have been
uploaded as pdf.