[LON-CAPA-users] Drop Box - Essay Response file checking

Mark Lucas lon-capa-users@mail.lon-capa.org
Thu, 14 Feb 2008 16:00:16 -0500 

Todd,

A couple sides to this. First, it's actually David Ingram, our
calc-based coordinator that's complaining a bit about this.

I'm thinking the following:

* All we really do is check the file extension. Anybody wanting to do
something malicious can just change the extension to get it uploaded. I
guess it would not automatically open on the other end when downloaded,
so that would be some protection, but I don't think we check files for
being executables or the like (I'll be happily surprised if we do).

* There are issues of listing all the extensions you are willing to
accept. The default list for the drop box currently accepts a bunch, but
not docx (word 2007), rtf, or wps (microsoft works document). Making
sure you've got everything you want is a bit of a pain, though certainly
manageable.

So I'm just poking around to make sure I have the story straight when I
go back to David with suggestions.

Later,
Mark

On Thu, 2008-02-14 at 13:41 -0700, Todd Ruskell wrote:
> Mark,
> 
> Not an answer, but a question:
> 
> Do you really want this?  What if they upload a malicious .exe file?
> (Maybe no more dangerous than embedded VB script in an office document?)
>   LON-CAPA does have a list of known file types somewhere, and I would
> suspect it would not allow any file type it doesn't know.  I always
> limit my students' options.  If I'm looking for a spreadsheet I list all
> the spreadsheet file types, etc.  Helps protect students from themselves.
> 
> Todd
> 
> Mark Lucas wrote:
> > Hi,
> > 
> > Is there any way to have the Essayresponse upload work for any file
> > type?
> > 
> > Right now in order to get the box, you need to specify some filetype or
> > the essayresponse upload box doesn't even show up. Is there a wildcard
> > that will say accept any file extension?
> > 
> > What is done in the way of file checking - just a check of the
> > extension? (which the student can change if they want on their end)
> > 
> > Thanks,
> > Mark
> > 
> > _______________________________________________
> > LON-CAPA-users mailing list
> > LON-CAPA-users@mail.lon-capa.org
> > http://mail.lon-capa.org/mailman/listinfo/lon-capa-users
>