More file upload options in Discourse

#1

Can we extend the file uploads capability beyond just images?

#2

Hi @ctgraham,

Do you mean the TinyMCE-based upload?

Before I’ll be comfortable extending the capabilities of that tool, I’d like to move the public files directory entirely out of the web root. As long as a directory can be accessed directly via the web server, it’ll be an attractive potential attack vector for malicious file uploads (think PHP). Mediating downloads via PHP (as we do for the private files directory) mitigates that risk entirely. Plus another benefit would be that we could move the public files directory into the private files area, meaning one less set of files to need to consider for backup etc.

There’s a long-standing Bugzilla entry open for this: https://pkp.sfu.ca/bugzilla/show_bug.cgi?id=1452

Regards,
Alec Smecher
Public Knowledge Project Team

#3

No, I mean here in the support forum. Should have made that more clear than just filing it in “meta”.

For example, a user could post an XML or CSS or PHP or TGZ file for sharing.

#4

Hi @ctgraham,

Ah, it would pay to read the title :slightly_smiling:

It looks like Discourse does now support file uploads:

Two concerns:

  • How can we prevent file uploads from being abused? (For example, if someone creates a post, then edits it later to include a malicious attachment, will anyone be notified of the edit?
  • Will users tend to want large file uploads? If so, I’d rather we recommended an external service.

Regards,
Alec Smecher
Public Knowledge Project Team