Chris Down wrote:
I pointed this out at VP a few months ago when it was proposed that we virus-scanned incoming files - as far as I am aware, nothing is checked when uploading.
Could be wrong, but that's how I remember the conversation going.
- Chris
The file type is scanned. Also, I run a bot doing stricter checks on the file contents for all commons uploads (could extend to other projects if you want).
It could also pass a virus scan but I don't think it's really needed. Virus scanners mainly look for known bad code, inside executables. We don't want any kind of executable.
On Fri, Feb 20, 2009 at 4:24 PM, David Gerard dgerard@gmail.com wrote:
http://www.infoworld.com/article/09/02/20/Adobe_flaw_heightens_risk_of_encou...
Do we sanitise PDFs at all? Do we check for wacky "active" features in a PDF?
- d.
It isn't too specific, so would be hard to detect. What we could do is to reject pdfs containing javascript. An unneeded feature IMHO. It has been used more as attack vector than legitimately. Do you know of a tool which could detect that? I don't think pdfinfo provides that.
In any case, pdfs don't stay too much. They are a headache for a different reason. About 99% pdf uploads really shouldn't have been uploaded as pdf.