Summary: | Automatically accept file transfers | ||
---|---|---|---|
Product: | [Unmaintained] telepathy | Reporter: | Daniele E. Domenichelli <ddomenichelli> |
Component: | approver | Assignee: | Telepathy Bugs <kde-telepathy-bugs> |
Status: | RESOLVED UNMAINTAINED | ||
Severity: | wishlist | CC: | dvratil, kde-telepathy-bugs, kde, mklapetek |
Priority: | NOR | ||
Version: | git-latest | ||
Target Milestone: | Future | ||
Platform: | unspecified | ||
OS: | Linux | ||
Latest Commit: | Version Fixed In: | ||
Sentry Crash Report: |
Description
Daniele E. Domenichelli
2012-05-14 10:24:18 UTC
The configuration part is already in the kded-module config (telepathy-kded-config.cpp), but the checkbox is hidden until it is not supported by the approver. I am afraid, that i dont have the time atm. so i put it back to not assigned. Out of curiosity, why would one want to automatically accept file transfers? Thinking about it, it could also be a security issue, because you have an easy way to get any file into user's system. So if this is ever implemented, I would like to have a big red flashing warning next to this option stating it means a security risk. What about per-contact auto-accept? Instead of one global switch, there would be a checkbox in contact details dialog or so. (In reply to comment #5) > What about per-contact auto-accept? Instead of one global switch, there > would be a checkbox in contact details dialog or so. It's still a security risk and I still don't get the reason. Skype allows you to do that, and I think it's quite useful when you are away (because you cannot accept it) or when you are busy (because you don't want dialogs disturbing you. We could have this depending on the status: [ ] Auto accept file transfers (default disabled) [ ] When I'm away or busy (default option) [ ] Always I don't see a big security risk, the option will be disabled by default and the file is not run, is just saved... And by the way, did anyone ever reject a file transfer from one of his contacts? I just realized that If we want to implement this there is another issue: what to do if the file already exist. For sure we don't want to allow to overwrite a file automatically, so it should be renamed. We should have some way to let the ft-handler know that the channel was automatically accepted and that it should just rename the file without asking. Any idea about how to do it? Stepping in with my release manager hat on (I've borrowed it from Martin) this has too many unanswered questions to be allowed in 0.5. > Skype allows you to do that, and I think it's quite useful when you are away > (because you cannot accept it) or when you are busy (because you don't > want dialogs disturbing you. The other thing is - who sends files without communicating by chat first and getting confirmation from the other side ("sure, send it")? > I don't see a big security risk, the option will be disabled by default and the > file is not run, is just saved... Getting the file inside the computer is the first thing ;) > And by the way, did anyone ever reject a file transfer from one of his > contacts? I believe you cannot generalize this. I have ~150 contacts on GTalk, half of which I don't know personally but I have them there because G+ adds everybody automatically. So if some of these people would send me some file, I would most probably deny it. Actually thinking about it - with the auto-accept enabled only when away it's even worse. Suppose you have some contact in your list (even a bot/virus), who wants to do damage to your machine. He knows when you are away (either sees you or by other means), so he just waits until you're away and then send you a file, which could be a malicious file and by auto-accepting it it will get it through to your computer. There's still a possibility of some remote access/hijacking all this. And this would all happen while you're away from your computer, not knowing anything that's going on. > We should have some way to let the ft-handler know that the channel was > automatically accepted and that it should just rename the file without > asking. >Any idea about how to do it? I think we're doing something similar with the text channel - we're passing some window state hints. David? (In reply to comment #9) > The other thing is - who sends files without communicating by chat first and > getting confirmation from the other side ("sure, send it")? Most of my work colleagues don't do it, usually when they send files to group chats. Moreover someone might tell you "I'll send you 10 images", and send them one by one, I don't want to accept 10 file transfers... > > I don't see a big security risk, the option will be disabled by default and the > > file is not run, is just saved... > > Getting the file inside the computer is the first thing ;) Then you should reject all emails containing attachments as well > I believe you cannot generalize this. I have ~150 contacts on GTalk, half of > which I don't know personally but I have them there because G+ adds > everybody automatically. So if some of these people would send me some file, > I would most probably deny it. G+ is really broken then... I would be more worried about automatically added contacts rather than about a file saved on my hard drive. > Actually thinking about it - with the auto-accept enabled only when away > it's even worse. Suppose you have some contact in your list (even a > bot/virus), who wants to do damage to your machine. He knows when you are > away (either sees you or by other means), so he just waits until you're away > and then send you a file, which could be a malicious file and by > auto-accepting it it will get it through to your computer. There's still a > possibility of some remote access/hijacking all this. And this would all > happen while you're away from your computer, not knowing anything that's > going on. Granted that your contact knows that you have enabled auto-accept, you end with a file received on your hard drive and a notification that your contact sent you a file. More or less like when you receive an email with a virus, except that through email anyone can send it, while it must be in your contact list to send it through telepathy. And that suddenly you realize that you should ban that contact... But I agree with you that there is some risk if someone is trying to saturate your bandwidth (even though his upload bandwidth is quite likely to be way smaller than your download one) or to fill your hard drive, anyway, I don't say you have to enable that option. By the way I just had an useful idea for a future version: we could have an observer that scans the received files for virus... > Most of my work colleagues don't do it, usually when they send files to group chats. How does sending files to group chat actually works? And do we support it? > Moreover someone might tell you "I'll send you 10 images", and send them one by one, I don't want to accept 10 file transfers... I'd tell them to pack it up first. But seriously, is it worth enabling this for all the users for all the time (until you turn it off, obviously) over one time clicking ten buttons? And if that persons keeps doing it, (s)he should really pack it up ;) > Then you should reject all emails containing attachments as well That's why I'm using webmail ;) > G+ is really broken then... I would be more worried about automatically added contacts rather than about a file saved on my hard drive. Can't really argue with that. OTOH it's only people you either mail with quite often or you add them to your circles and they add you back (or the other way around). This still doesn't rule out the possibility of hijacking an account though. >More or less like when you receive an email with a virus, except that through email anyone can send it, while it must be in your contact list to send it through telepathy. Good point. > I don't say you have to enable that option. I'd just like to have some warning under that option, informing the user what that means, then I'm happy. Dear user, unfortunately Telepathy is no longer maintained. Please migrate to another solution, e.g. for Jabber a possibility is Kaidan, for Matrix a candidate is NeoChat. |