[Psi-devel] Opening downloaded files in a safe way

Maciek Niedzielski machekku at uaznia.net
Wed Dec 6 20:36:54 PST 2006 

Hi, smart people :)

Some time ago I wrote a patch that allowed opening downloaded files
directly from the Transfer Manager. While discussing how to prevent
executing dangerous files, James Chaldecott suggested [1] using latest
Windows API (IAttachmentExecute [2]) to handle this (where possible).

I've been looking at these utilities last two days and I can say two things:
1) they look really nice
2) they have one extremely unpleasant behavior...

As the name (IAttachmentExecute) says, it was designed with email-like
apps in mind. To be more specific, applications that have the downloaded
file "hidden" somewhere and then can "extract" it anytime.

Typical usages are:
A. Saving attachment:
 1. Extract the attachment to user's location.
 2. Call Save() to do security checks.
B. Executing attachment:
 1. Extract to temporary location.
 2. Call Execute() to performs checks and execute.

Where is the problem?
If the file is "extremely" dangerous, security check may delete it
without giving any chance to stop the process. It is not a problem for
email client, because the user can change some settings and save/run the
file again.
However, in our case, deleting the just downloaded file is the end: we
cannot restore it.

There are three possible solutions I can think of:

1. Don't use IAttachmentExecute at all.

2. Download the file into temp dir, make a copy, run Save(), etc.
This is what (most probably) MSN Messenger does. I don't like this
solution for two reasons:
* partially downloaded file is hard to find, resuming becomes harder
* can eat much disk space if the file is big, and you may have not
enough space on temp partition
However, this is (as I guess) the recommended solution.

3. Use CheckPolicy() function which performs a check (without deleting)
and returns one of { Enable opening, Prompt before opening, Disable
opening}. As far as I can understand, Save()/Execute() deletes the file
if CheckPolicy() suggests disabling access to the file.
The algorithm would be something like:
 if (CheckPolicy() != don't open)
  Execute()
 else
  display big warning and open if user confirms

Advantages of doing this instead of self-made checks, etc are:
* native checking if the file is dangerous
* Execute() can display nice-looking warnings for semi-dangerous files
and remember user decisions (there is "don't ask again for this file
type" checkbox)
Disadvantages:
* Warning for the most dangerous files will be not native (but I guess
we can fake it to look more Windows-like)
* I'm not 100% sure if CheckPolicy() != don't open guarantees that
Execute()/Save() won't automatically delete the file.


So... please say something smart... And I'm going to sleep...

[1]
http://lists.affinix.com/htdig.cgi/psi-devel-affinix.com/2005-May/002929.html
[2] http://msdn2.microsoft.com/en-us/library/ms647048.aspx

-- 
Maciek
 xmpp:machekku at uaznia.net

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 257 bytes
Desc: OpenPGP digital signature
Url : http://lists.affinix.com/pipermail/psi-devel-affinix.com/attachments/20061207/91143c51/attachment-0001.pgp

More information about the psi-devel mailing list