Bug 32387 – Review default configuration of Dansguardian for banned extensions/MIME types

Bug 32387 - Review default configuration of Dansguardian for banned extensions/MIME types


Summary:	Review default configuration of Dansguardian for banned extensions/MIME types

Status:	RESOLVED WONTFIX

Product:	UCS
Classification:	Unclassified
Component:	Dansguardian
Version:	UCS 3.1
Hardware:	Other Linux

Importance:	P5 normal (vote)
Target Milestone:	UCS 3.x
Assigned To:	Squid maintainers
QA Contact:

URL:
Keywords:

Duplicates:	37329 (view as bug list)
Depends on:
Blocks:
	Show dependency tree / graph

Reported:	2013-08-27 15:35 CEST by Moritz Muehlenhoff
Modified:	2017-08-08 07:09 CEST (History)
CC List:	3 users (show)

See Also:
What kind of report is it?:	Bug Report
What type of bug is this?:	2: Improvement: Would be a product improvement
Who will be affected by this bug?:	2: Will only affect a few installed domains
How will those affected feel about the bug?:	1: Nuisance – not a big deal but noticeable
User Pain:	0.023
Enterprise Customer affected?:
School Customer affected?:
ISV affected?:
Waiting Support:
Flags outvoted (downgraded) after PO Review:
Ticket number:
Bug group (optional):
Max CVSS v3 score:

Attachments
Default list of blocked extensions (3.26 KB, text/plain) 2013-08-27 15:38 CEST, Moritz Muehlenhoff	Details
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Moritz Muehlenhoff

2013-08-27 15:35:03 CEST

If content scan has been enabled in Dansguardian using squid/contentscan the 
attached list of extensions are are banned by default: (/etc/dansguardian/lists/bannedextensionlist)

The default configuration should be reviewed/trimmed down.

- It blocks .doc and .xls by default (but not the dozens of other file types potentially containing macros). It's the job of the office application to enforce a macro policy, this isn't something the proxy should enforce by default.

- It has a list of extensions labeled "Time/bandwidth wasting files", which blocks some multimedia files or ISO images. There are endless valid use cases for these, so this should't be in the default banned policy.

Some of the extensions for executable files seem fishy as well, e.g. "crt" or "otf".

Comment 1 Moritz Muehlenhoff

2013-08-27 15:38:15 CEST

Created attachment 5397 [details]
Default list of blocked extensions

Comment 2 Moritz Muehlenhoff

2013-08-28 07:43:11 CEST

The same applies for the variable dansguardian/groups/.*/banned/mimetypes:

By default a fairly obscure list of multimedia MIME extensions is blocked:

audio/mpeg
audio/x-mpeg
audio/x-pn-realaudio
audio/x-wav
video/mpeg
video/x-mpeg2
video/acorn-replay
video/quicktime
video/x-msvideo
video/msvideo
application/gzip
application/x-gzip
application/zip
application/compress
application/x-compress
application/java-vm

Multimedia files should be blocked by default (and the list is totally ancient!) and MIME types for executable files are not present.

Comment 3 Moritz Muehlenhoff

2014-06-25 12:00:00 CEST

Feedback from a customer from a technical training who tried to use the content scanning in the company confirms that: Using the web is unusable with the default configuration since far too many (harmless) files and extensions are blocked.

Unfortunately the list can only be relaxed by editing the UCR templates.

I suppose this is also the reason for the performance problems mentioned in Bug 27777

Comment 4 Daniel Tröder

2017-06-14 13:50:07 CEST

*** Bug 37340 has been marked as a duplicate of this bug. ***

Comment 5 Daniel Tröder

2017-06-14 13:51:05 CEST

*** Bug 37329 has been marked as a duplicate of this bug. ***

Comment 6 Stefan Gohmann

2017-06-16 20:39:21 CEST

This issue has been filed against UCS 3. UCS 3 is out of the normal maintenance and many UCS components have vastly changed in UCS 4.

If this issue is still valid, please change the version to a newer UCS version otherwise this issue will be automatically closed in the next weeks.

Comment 7 Stefan Gohmann

2017-08-08 07:09:24 CEST

This issue has been filed against UCS 3.1.

UCS 3.1 is out of maintenance and many UCS components have vastly changed in later releases. Thus, this issue is now being closed.

If this issue still occurs in newer UCS versions, please use "Clone this bug" or reopen this issue. In this case please provide detailed information on how this issue is affecting you.