Author Topic: What is the actual security risk of zips and other archive file attachements?  (Read 9579 times)

Offline FractalFrank

  • Semi-Newbie
  • *
  • Posts: 20
Not sure if I posted this in the right category.
We have repeated requests to add zip files to our allowed attachements. It makes sense from our users standpoint.
So the questions, what exactly is the security risk of zips, rars and the likes? Is it just a risk for our users, because who knows what someone uploads and hides in there?
In this case we would allow it and rely on the our users paying attention themselves (also only allow attachements for users with 10+ posts as barrier)

Or are these files also a danger for smf-system and the server?

Some more info on the "why" would be nice - going beyond the usual, don't do that, everyone knows it's dangerous.


edit: Ok,  I just noticed it is definitely the wrong board to post this - sorry! Please move to wherever this fits.

Offline FractalFrank

  • Semi-Newbie
  • *
  • Posts: 20

is this too obvious? or does nobody know the answer?

Offline Arantor

  • Resident Overthinker
  • SMF Friend
  • SMF Legend
  • *
  • Posts: 68,434
    • Arantor on GitHub
It's just a risk to your users who may download without knowing what they contain. No risk to the server for the files just being there.
To assume is to hope that those who came before had the presence of mind and capacity to implement the dreams of those who would come after.

You either die a hero or live long enough to see yourself become the villain. It seems you have chosen which, and now I must do the same.