Magic byte blacklist for NFO uploads #78
Comments
|
Is it really that frequent though? Like, once a year? |
|
Certainly a bit more than just once a year, but probably not more than once a month or so. Latest example: https://www.pouet.net/prod_nfo.php?which=72222 |
|
I'm still not convinced that blocking certain strings is a good idea, just because an NFO contains "GIF89" doesn't mean it's invalid; that being said a warning box saying "are you sure this is the .nfo" can potentially work. I'd have to look into JS to see about local file reading though. (I've done it before but I try not to remember a lot of it.) What I fear is that like in most cases, an outright block will hit false positives, and a warning will not deter people enough. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
It happens frequently that screenshots are uploaded as NFOs instead. With a user mistake happening that often, it is obvious that there is a UI problem, but that's not the point of this issue. As an easy countermeasure, the uploaded NFO could be scanned for a few selected magic bytes of commonly used graphics formats and then reject the upload. Examples: "GIF", "\xFF\xD8\xFF" (JPEG), "\x89PNG".
The text was updated successfully, but these errors were encountered: