I find the preview of attached image is quiet annoying, especially when you have lots of them.
Is there anyway to turn off these previews?
You may use old Gmail interface if you access it at
http://mail.google.com/?ui=html
It is much less annoying: it lets you see the complete file name and size and download attachments directly skipping the awful Drive thing.
Related
After google insight analysis, there was an option to download optimised contents (CSS, JS, Images). Now the option is not visible anywhere in the new design. Was it removed?
Could some one give a screenshot if it's available.
Not sure if this is the case, but GPSI sometimes offers nothing to download, if the analysis result is satisfactory.
Also GPSI is sometimes unhappy with its own files (images) it offers for download and re-optimizes them again, after you use them and re-test.
I often produce mathematical software in Delphi 2009, and publish it on my web site. However, the last year or so, Google Chrome has started to consider a small (but increasing!) number of my EXEs 'harmful', and Google Chrome refuses do download them.
For example, today I wrote a program that visualises the Lorenz attractor. You can find it at https://specials.rejbrand.se/chaos/lorenz/; it's lorenz.exe.
When I use Google Chrome to download this EXE, the following prompt appears:
(Yeah, I actually did try it three times...)
This is Swedish, and the text says "%s is harmful and has been blocked by Chrome". The button says "Remove permanently", and the drop-down menu doesn't offer any other actions (like "I know the file is safe, please let me have it").
Obviously, this is kind of a problem. As far as I know, the EXEs are perfectly safe. At least the code I have written is not harmful in any way, but I suspect there is a theoretical possibility that the Delphi compiler has started to add harmful code behind my back.
Questions
Is there something harmful about my EXEs?
Is there some way to make Google Chrome not block my EXEs?
I could reproduce this behavior with Chrome with your original EXE.
Is there some way to make Google Chrome not block my EXEs?
I can confirm that after I digitally signed it (with my company's signing code certificate) Google Chrome downloads this file without any issues. This is the most efficient (maybe the only) way to avoid this kind of problems.
Another quick solution is to pack the EXE with RAR. Chrome downloaded it with no problem.
Surely this is a False positive "detection" with Google Chrome. My Antivirus (NOD32) did not
found any problem, and other browsers did not have any issues with your EXE.
NOTE also that Your domain might have issues (flagged) as #Sertac Mentioned. If I download your original EXE from my website the error message is %s is not comonly downloaded and could be dangerous. Same goes for any other EXE I uploaded to MY site. (You still have an option to "Keep" the file)
See also here: Google Chrome Browser Will Block Dangerous Downloads
Specially this:
As welcome as the new features are, Chrome is in the unusual position
of playing catch up to Internet Explorer 9, which features an arguably
superior method of blocking potentially malicious downloads.
Microsoft's SmartScreen Application Reputation rates downloads in
three ways: whether they're digitally signed, the reputation of the
author, and--arguably most importantly--how many times the file has
been downloaded by others.
"Is there something harmful about my EXEs?"
No.
Here's a link to the results of Jotti's malware scan (which results with: 22 out of 22 scanners "found nothing"):
http://virusscan.jotti.org/en/scanresult/df25dbecfccc5d10862f52236d664d48d0c72058
The link to virustotal scan (detection ratio = 0/53):
https://www.virustotal.com/en/file/51d9d637a17f5876c371e5eec164e1dc48a35c56900a3235a9c656d10687814a/analysis/1408587813/
"Is there some way to make Google Chrome not block my EXEs?"
One option is to make it block nothing, evidently it's crap anyway. The option is in the "privacy" section in "advanced settings", here are the instructions:
https://support.google.com/chrome/answer/4412392?p=ib_download_blocked&rd=1
Otherwise, you can check what google thinks about safety of your site:
http://www.google.com/safebrowsing/diagnostic?site=rejbrand.se
The report seems to be somewhat indeterminate. Here's a quote (for rejbrand.se):
Has this site hosted malware?
Yes, this site has hosted malicious
software over the past 90 days. It infected 0 domain(s), including .
Presumably you can also request a site review in the security issues of google webmaster tools. But apparently it's not always fruitful. That last link also suggests there's a way to send samples to google hoping that they would analyze better (AFAICT it's not part of webmaster tools), but this might not turn out to be practical depending on the number of executables/versions you produce.
This is a fairly common problem, actually. Because Delphi makes software development easy and has no external runtime dependencies, it tends to get used for writing malware, unfortunately. And so some virus scanner heuristics that are supposed to detect malware instead end up detecting parts of the Delphi RTL.
The best thing to do is to do a bit of research and find out how Chrome is making this determination, and then send the people behind the virus scanner giving the false positives a copy of your EXE(s) with an explanation that this is a false positive and needs to be fixed.
I have equally been frustrated by this warning, and without going into a rant about how ridiculous the whole thing is, I will share the solution that worked for me.
I have found that double zipping got rid of the warning right away- zip your files, then zip the resulting zip file, the warning will disappear upon downloading.
The user will have to unzip 2 files to get to your files, but that is a much lesser inconvenience than the dangerous warning.
Is there a browser plugin or an extension that allows the user to view .doc files in browser?
I need to embed in my application, a document viewer. So far, I tried using services like google docs, but this solution doesn't work for our application, because of some security problems.
Do you know about the Office Web Apps? Microsoft developed something similar to Google Docs and you can use the Word Web Application to view Word files. It will pretty much display anything - a lot of editing functions from the offline version are not available though.
If you are just looking for a viewer search for "Word ActiveX Viewer" and you will find plenty (commercial) viewers.
To have IE open the .doc within the browser and not in a separate winword.exe, you need to define the association at client end.
As .doc file is an external resource to HTML, it would download the file into its temp, and then attempt to launch it. It would launch it using the default program that it is associated with.
To control this behavior, please have a look at:
http://www.shaunakelly.com/word/sharing/opendocinie.html
I thought Internet Explorer + Microsoft Office used to do this by default?
I can for sure tell you that other than converting the doc to html you won't get a cross-browser, cross-platform solution.
Since you are saying it's for viewing only, that would seem like the way to go.
I want to let users (i.e. anyone who signs up for an account) upload and download video and text documents. I have been researching the security issues regarding letting users upload files, but everything I can find on the subject assumes that users will only upload images.
Are there any security issues specific to letting users upload videos and text documents? Is security a lot more difficult when users can upload files at video size? Are there any particular file extensions I should look out for?
The problem is this: If you let users upload videos, images and text files, some of them will try to upload viruses, server-side scripts and other malicious code. Such code will then expose your site's users to what ever 'bad things' those users uploaded, within the context of your own site.
If you allow such uploads, you must be very careful that you are only saving files of the actual types you planned on - and not by looking at the file extension, either. You also must make sure those files are placed in locations where execute/script permissions are disabled.
Virus checking is a must - but it is not at all enough. A PHP script may not set off virus warnings at all, but that same script could reveal vital information for your site, or cause other bad things to happen if executed.
You must examine the content of the files - never rely on the extension or MIME type reported by the client. Those can easily be faked.
Serve your downloads from a location for which you have disabled the execution of server side code. This is all you need to do to protect yourself from server side exploits. Relying on file extensions or other such things are all hacks.
If you want to fully protect your users (and indirectly your website) as well, you'll need to run the files through a suitable virus scanner. It is possible, and there are real-life examples of doing so, to exploit video decoders and such software to run arbitrary code. But if you start walking down that line, you could also argue that certain text strings might set off weird behavior in certain software, and that starts getting silly. Luckily, the people who write virus scanners will have done most of the work for you. So:
Never execute that what is uploaded
If you feel it's needed, virus scan them as well.
You can virus check each file that is uploaded. If you look at most web based email clients you will see when you upload a file they are checked by McWhoever. In generally you shouldn't let them upload exe files but checking the extension is a very basic (unreliable) method.
It's quite hard to make an upload REALLY secure.
There are quite a lot of things to check - the file extension is just one part of it. Here are few things which have to be at least checked:
file extension (as you've already mentioned)
mimetype
filesize
depending on the users: maybe check the uploads with ClamAV ...
To answer your question here is a meta attack:
bad guy uploads a binary to your
server, perhaps tricking your
filters by compressing file and
changing extension to .avi
exploit bug in a CGI script to
decompress avi from #1
exploit bug in another CGI to
execute file from #2 -> backdoor
installed
backdoor accessed and rootkit
installed to hide all evidence of steps
1,2,3
Some variation on the above is what typically happens when servers are compromised.
We're using the Mantis bugtracker (version 1.1.8), which is based on PHP. To ease the workflow of adding bugs we'd like to add an option to paste screenshots from the clipboard directly into the 'new bug form'.
Screenshots make bugreports much more valuable for developers, so I'd like to make adding them as easy as possible. Preferably without using an external application, but right in the browser.
I've looked all over for a way to add this, but no luck. How do other people do this? Am I missing something obvious?
edit: The bugtracker is a private one, in a small company, so I'd be willing to accept the security risks that for example Java applets present.
There isn't really a way to do this short of using ActiveX, applet or Flash-type technology on the client. Even then, there are numerous security roadblocks. A browser has no easy way to convert stuff from the clipboard into a suitable format for upload to a website, and even if it did there would be security concerns. For example, malicious code in a page could copy sensitive information from your clipboard and send it to the page's site without you even knowing it was happening.
Update: There is a standalone screen capture utility which claims to work with Mantis (and a whole bunch of other bug-trackers). This is probably your best option.
There is a drag n drop image attacher Java applet for Atlassian Confluence which has the functionality you need. It only supports Confluence but as the sourcecode is freely available under BSD you should be able to customize it to your needs.
Forgot the link:
http://confluence.atlassian.com/display/CONFEXT/Drag+and+Drop+Image+Attacher+Plugin
I've managed to build my own solution that works quite well. It places a Java file upload applet on the pages where you'd want to attach a screenshot. The applet has two buttons:
'paste screenshot', which pastes an image from the clipboard into the applet
'upload screenshot', which uploads the pasted image to the /tmp dir on the Mantis server and uses a javascript callback to place the autogenerated filename of the uploaded image into a form field.
Once the form is submitted, a new function in Mantis uses the filename in the form field to move the image from /tmp to the final location and processes the image just like other attachments. If the form is never submitted the uploaded file remains in /tmp and will eventually be purged by the server.
It works well, but has one drawback that I cannot avoid: I'm using Java to get access to the client's clipboard, but that requires breaking the JVM sandbox. Apparently, this can be done if you digitally sign the applet, which requires a rather expensive yearly payment (something like $500) to a company like Verisign (currently free options like cacert.org are still limited in their usefulness).
Another way to allow Java applets access to the clipboard is to create a file called .java.policy in your home or profile directory. This file should contain the following (Replace the domain with the domain that hosts your Java applet):
grant codeBase "http://bugs.example.com/-" {
permission java.awt.AWTPermission "accessClipboard";
};
Thankfully the solution is cross-browser compatible since the JVM always checks the same file regardless of the browser used. Since my solution requires having this .java.policy file on each client computer I don't consider it ideal, but workable in a controlled company environment.
I looked in to this also. No real easy way, so instead I allowed them to upload an unlimited number of files and those files would then be "attached" to that bug. It actually turned out to be better because they can upload screenshot, spreadsheets, word docs, etc.
Like yours, this is an internal only site so security is light. I did this in ASP.Net, but the general idea is that when they are looking at a page for a bug they have an upload box. When they upload something I pre-append it with the bug id. So ScreenShot.jpg becomes 233_ScreenShot.jpg.
Also on that page is a grid (GridView) that is bound to all of the filenames in my upload directory that start with that bug id.
To see what this looks like click here.
For tech-oriented users, there's always to possibility of using Eclipse + Mylyn + Mylyn-Mantis connector.
Then uploading screeshots is very easy:
Screenshot upload http://img216.imageshack.us/img216/246/screenshotattachments1.png