Hi Amit, > Mantis allows the bug reporters to attach all sort of files, images > (screenshots), zipped files, php, html files, patches etc. So, my > question is how does Mantis secure itself from potentially dangerous > files that can be uploaded by evil users?
MantisBT doesn't execute any of the files uploaded. Thus the files uploaded by users are of no threat to MantisBT. Of course you could configure MantisBT horribly so that the file upload directory is located in a web accessible path. This would allow people to upload attachments and execute them remotely via the web server. I strongly suggest using MantisBT 1.2.x with the Fileinfo extension available to PHP. This allows PHP to guess MIME types for attachments so that user browsers downloading attachments know what type of files they're dealing with. > I could have used some sort of trigger to immediately check the > uploaded file by calling clamscan with the file's location on a linux > machine, but the problem is that the webapplication can be used on any > webserver on any Operating system. And hence it won't work on windows, > as the server owner might have some other propritary antivirus > software, and it won't be possible to add hooks for all such AV in the > configuration file. The general approach to anti-virus scanning on Linux systems is to perform the scan upon receiving an email (mail exchangers) or upon a file being uploaded. I don't think background scanning is used (with inotify or some other approach) to scan new or modified files. On Windows I gather it'd be commonplace for files to be scanned twice in many cases. Once when the web server/mail exchanger manually performs an AV scan on the file and once when the AV detects a new file on the disk (background scanning). > So, does Mantis have any in-built mechanism to secure the uploaded > files? If yes, I'd really appreciate if someone can give me a brief > overview or atleast hint me towards the right direction. At the moment, no. We'd need to add an event trigger to bug_file_add.php so that a hypothetical Anti-Virus scanner plugin for MantisBT could scan attachments upon upload. Possibly a better location for the event trigger would be inside gpc_get_file() from gpc_api.php. Patches and plugins are most welcome. Just for the record I don't advocate the use of anti-virus software so I'm not the best person to ask for help with testing this proposed functionality :) Regards, David ------------------------------------------------------------------------------ Download Intel® Parallel Studio Eval Try the new software tools for yourself. Speed compiling, find bugs proactively, and fine-tune applications for parallel performance. See why Intel Parallel Studio got high marks during beta. http://p.sf.net/sfu/intel-sw-dev _______________________________________________ mantisbt-help mailing list [email protected] https://lists.sourceforge.net/lists/listinfo/mantisbt-help
