Project

General

Profile

Feature #14221

Allow .ics files to be posted as forum attachments

Added by Matt Gold 7 months ago. Updated 7 months ago.

Status:
Rejected
Priority name:
Normal
Assignee:
Category name:
Group Forums
Target version:
-
Start date:
2021-03-23
Due date:
% Done:

0%

Estimated time:

Description

I just forwarded a message to a CAC group; the original message had a calendar invite (.ics) file attached. I received a message saying that the .ics file could not be posted. I don't know whether we disallow that out of actual security concerns or just because we haven't thought to allow it before, and I'd be curious to hear your thoughts.

Attached is a screenshot of the error message I received.

History

#1 Updated by Boone Gorges 7 months ago

Ray can probably say more about how the specific message is generated. We do not allow the upload of .ics using the general upload mechanism, and I'm guessing that RBE checks against this allowed-extension list.

Ray, do you see a security issue with allowing .ics files? Given that they are meant to be downloaded and loaded into a calendar application?

A potential point of confusion is that one might believe that uploading an .ics file would have some connection to the group calendar. But this wouldn't work without some further development.

#2 Updated by Raymond Hoh 7 months ago

We do not allow the upload of .ics using the general upload mechanism, and I'm guessing that RBE checks against this allowed-extension list.

That's correct. So if we want to allow .ics files for forum attachments, we just need to allow .ics files at the WordPress media library level.

Ray, do you see a security issue with allowing .ics files? Given that they are meant to be downloaded and loaded into a calendar application?

Good point, Boone. My guess is that this would depend on the iCalendar application being used and whether that is vulnerable to exploits. Another tactic is social engineering. The .ics file could contain events with external links to phishing sites in their event description.

However, this last point applies to all document types, not just .ics files. We already allow documents and PDFs, so it should be okay to go ahead with allowing .ics files.

A potential point of confusion is that one might believe that uploading an .ics file would have some connection to the group calendar. But this wouldn't work without some further development.

That's another good point. If we were to do this, we would probably have to limit this to group admins only.

#3 Updated by Boone Gorges 7 months ago

  • Status changed from Assigned to Reporter Feedback

Thanks, Ray!

Given the potential for confusion and security issues, I'm leaning toward rejecting this request. The benefits of attaching an .ics file to a forum attachment aren't worth the downsides. Matt, does that seem OK to you?

#4 Updated by Matt Gold 7 months ago

  • Status changed from Reporter Feedback to Rejected

Yes, that seems fine, though let's revisit if others notice and clamor for the ability to share .ics files. Thanks to you both for your thinking about this!

Also available in: Atom PDF