function(checkfiletype) in site.story not overriding function in common.story E2G 5.5.1pre

[Dalacor]

Instead of using bannedextensionlist and bannedmimetypelist I want to move to exceptionsextentionlist and exceptionmimetypelist as this would be more secure.

I have uncommented the following in site.story. However extensions are still being banned based on what is in the bannedextensionlist file. I am aware that there is a function(checkfiletype) in the common.story file which bans extensions and mimetypes based on what are in the banned files. It would seem that the function(checkfiletype) in site.story is not overriding the function in common.story.

If you only want exception extensions/mime filetypes to be allowed

then uncomment the following 4 lines

function(checkfiletype)
if(mimein, exceptionmime) return false
if(extensionin, exceptionextension) return false
if(true) return setblock

I presume that I need to set the messageno=900 for exceptionextensionlist and messageno=800 for exceptionmimetypelist in the e2guardianfx.conf files as this bit of coding is missing for exceptions, but not the banned lists.

[philipianpearce]

The function override facility is basic to the storyboard facility. Can you turn on storyboardtrace on a test system and if it is not obvious what is wrong, post the result with your site.story and the story for the filtergroup.

Message numbers: as exceptions do not display a message to the user messsage_nos are not usually needed and as as the function is deploying reverse logic the message number should be included in the storyboard condition setting the block - so the final line should read 'if(true,,750) return setblock' I'll correct this in later versions.

[Dalacor]

I did a story trace and there was nothing in the logs. I will look at this again when I have fully completed all the work I am doing on E2guardian as there may have been some change during the setup process that I have not documented that is causing the issue.

[Dalacor]

I have done some more work on this and compared E2guardian 5.5.1pre with E2guardian 5.4.5r and I can confirm that the results are the same regardless of E2guardian version. It is a bit confusing because it depends on how the file is stored on the website and whether you are using banned or exceptions.

1. When you enable function checkfiletype in site.story and uncomment the exceptionmimetypelist and exceptionextensionlist in e2guardianf1.conf - E2guardian shows the following error on restarting:

SB warning: Defined list mimelist:bannedmime is not referenced in storyboard ....examplef1.story

2. If that is all you do, then if you have say zipped files blocked in bannedextensionlist but allowed in exceptionmimetypelist - then the file download will blocked - if the link is a url link that contains .zip. So for example if you use the E2guardian 5.4.5r download links as a test - the file download will be blocked because the url link contains the .zip as part of the url.
   https://github.com/e2guardian/e2guardian/archive/refs/tags/v5.4.5r.zip. This also applies to links within emails that you click on.

However another website where you can download a zip file but the url link does not contain the word .zip - then it ignores the bannedextensionlist and just uses the exceptions. Hopefully that makes sense. This was quite confusing to work out as it was not obvious what was happening initially.

3. Let's say you allow say application/json in exceptionmimetypelist to ensure that websites work properly as a lot of websites use javascript and json to load scripts etc. So great, json will work properly on websites. However what it also does is allows users to download .json files. See this website as example - https://www.appsloveworld.com/download-sample-json-file-with-multiple-records. I can download the .json file even though I don't have that extension allowed in exceptionextensionlist. This does not appear to be an issue in bannedextension and bannedmimetypes. You can block downloading .json files whilst still allowing json content on websites to work when using banned route rather than exceptions route.

4. Links from an email that contain a link to a download that is saved in the same location as the url. You can only download the file if allowing the extension within exceptionmimetypelist. For some reason, allowing the extension in exceptionextensionlist has no effect. So how and where the file is saved, does seem to affect how banned and exception extensions and mimetypes work.