Upload files that are not images

Hello there,

Can we authorize people to upload files that are not images (.jpg / .png type)?
Like in this Discourse forum : https://discourse.mcneel.com/

Thanks again for the quality of this forum :slight_smile:

I’m in no way qualified to answer this correctly, but i assume that that is gonna cause many problems, starting with security, going over to having to implement functionality for each data type which is just a lot of work if done manually.

Although you might be able to remove (or lessen) the problems with security if there was a tool that could en and decode .cvs files into images and back to .cvs files. And for other types of data too. Shouldn’t be all to complicated, if you just import the byte[] of the corresponding file, represent that as a picture, upload it, download it and then use the byte[] to create a .cvs file. But i don’t know how that would turn out after up and downloading it, because of a possible dataloss during that up/download. And you could only use png at most, since it’s lossless, while jpg is lossy… But thats just an idea to how to circumvent it, and not really an answer to your request :sweat_smile:

1 Like

For code w/ data assets, just create a GitHub repo for it: :octopus:

After that, you can drag & drop your code’s root folder into your repo: :file_folder:

Here’s a repo example for a sketch containing lotsa data assets: :card_file_box:

Thanks for your answer :slight_smile:
I understand why security would be a problem but maybe it’s possible to add an antivirus that filter the files ? (I think it has a lot of problems too)

Yeah GitHub is a solution to that problem.
I was thinking about embedding the file into the Processing forum.

Well, no antivirus is better than just not allowing data to be uploaded. So, it would cause Security issues, and Even if you use the best Security, it‘s still not 100% certain, though Thats just worst case :sweat_smile: Still, i think to use Github is probably better than converting images :sweat_smile:

Allowing text file formats (csv, xml, glsl, html, css) in the forum should not be a security issue, or? Otherwise, easier that GitHub is maybe https://pastebin.com/ ?

Loading an xml can have security implications. But then running a Processing program is also “risky”, as the program has access to the files on the computer, can load and execute remote content.

Should this be made more clear in the forum, that you should inspect any programs you find before running them? Or automatically add a notice under any code snippet if any functions that work with URLs are detected? For instance loadImage("http://bla.com/virus.jpg").save("funny.jpg"). The good thing is that there are people keeping an eye on most posts.

I think it could be great. I have no doubt that people from the Processing community are not malicious but we never know.

@josephh I wonder if the fact that this is a very friendly community makes it harder for us to notice evil code, because we don’t expect it. Just in case I always use auto format in the PDE when copying code from the forum and then check if there’s any remote content being loaded in the program.

But I didn’t want to deviate from the original topic, which was being able to easily include non-image files in our posts :slight_smile:

Yeah but those questions are really interesting. For my part, I never check if there’s “evil” code :smiling_imp:
I should do this anyway and other people too. Is it mentionned in the Processing forum guidelines?

I didn’t see that mentioned in the guideline posts. Maybe in the post that you are shown when you join? What do you think @jeremydouglass? Does it make sense to tell participants that they should study the code found in the forum (or anywhere online) before running it? And what kind of instructions to be aware of?

I personally don’t object to adding suggestions or warnings. There are some obvious ones like run() and exec(), any load* that accesses an external url or references an system path… but the list of things to worry about would be different between Processing(Java) and the JVMs (Processing.py) and, on the other hand p5.js.

However, in practice, many forum users are beginning coders – they just aren’t equipped to read a piece of Processing code on the forum and evaluate whether it might be dangerous or not. Mainly what we could do is scare them off, and given what we know about the threat level (extremely low) I’m not sure we should. I think if we are concerned about bad code on the forum then we should probably have some automated forum rule like “posts from members below karma x that contain code referencing external URLs are auto-hid and require moderator approval to be viewable.” That would probably be more effective at keeping people safe.

That said, in years of forum we just haven’t seen many examples of this as a spam / malware tactic – probably because it is such a terrible vector if you are trying to make money (high attention channel, code potentially inspected by experts, a very low chance of actually being run, and if it is, disproportionally being run by students and children, who don’t tend to have a lot of valuable assets). Has anyone heard of such a thing (posting evil code) being a serious problem on stackexchange / reddit?

1 Like

Regarding uploads – I’m not a site super-admin, so I have no control over that stuff (can’t even see the settings). However, I think the question is, what file extensions could be easily enabled for upload by the forum software (Discourse) at greatest benefit and lowest risk / need of maintenance.

Right now if you have CSV or XML you can just paste it into a code box and optionally use a spoiler to hide it. Once you get up into 4+ files, then GitHub or OpenProcessing or even a zipped file on a hosting site is probably the way to go.

So – which files types, specifically? There are some things (like PDFs) that we are probably never going to do because we can’t keep up with their evolving security problem set, and it wouldn’t be worth our time if we could.

1 Like

I agree with not scaring people off and maybe developing a plugin that validates posts or maybe adds a warning below shared code that is suspicious. Here’s a tutorial about how to make plugins for Discourse: https://meta.discourse.org/t/beginners-guide-to-creating-discourse-plugins-part-1/30515 I hope someone is interested in giving it a try.

I think making money is not the only motivation for posting evil code, some are into this just for the lulz. I’m happy that it has not been a problem so far, and I hope it never is :slight_smile: