Ask for no videos on the bug form

[matt335672]

I'm proposing we ask for no links to external websites for images or videos on the bug report form.

This has bothered me for a while. Not only are these not guaranteed to be available for future readers, but a link to an external website could be used to compromise a developer browser, or find out more information about the developer workstation configuration.

What do people think?

Header on updated bug report form looks like this:-

[metalefty]

I generally agree. BTW, Videos on YouTube will be acceptable for me if its file size is larger than GitHub accepts.

[matt335672]

Thanks @metalefty

Here's the scenario which bothers me. Some might accuse me of being paranoid, but we are developing software which runs with root privilege on users' machines.

Using the usual names, we have 'Alice' for an xrdp developer or long-time contributor, and 'Mallory' for an attacker.

1. Mallory raises issue/discussion
2. Alice attempts to address the issue
3. Mallory engages with Alice, explains the issue isn't resolved and posts helpful link to video in a reply. Video is hosted on website controlled by Mallory.
4. Alice clicks on link to watch video. At this point, from the connection, Mallory learns Alice's IP address, browser, operating system, etc. Mallory crafts second video containing an exploit targeted at Alice's machine.
5. Later in the conversation, Alice watches the second video and the exploit is delivered.
6. Mallory immediately replaces the video with a harmless version, or simply vanishes leaving no trail to follow.

We've had issues raised which follow this stages 1-3 of this pattern (e.g. #3211 / #3280). To be absolutely clear, I'm not accusing any of our user community with malicious intent at this stage. I'm simply saying that 1-3 are an expected path of events when we are triaging user issues, and so as developers we are less likely to be on our guard.

With that rather long-winded post out of the way, I think I'm OK with youtube postings too. It removes stage 4 from the attacker, and the attacker no longer has direct control over the video. It's still not perfectly safe, but it's a lot better:-

https://www.pandasecurity.com/en/mediacenter/youtube-virus-tips/

I'll reword the text to add an exception for youtube.

[matt335672]

Updated form:-

[metalefty]

Yup, your suggestion concern makes sense to me. Videos are helpful to see what's happening on the user side exactly but there are some risks like you mentioned.

BTW, I'm thinking of how can I ensure reporters let us know the result of xrdp -v in the issue form.
Some people paste nothing there, some people write a question there, some people removes ~~~ quotation regardless it is noted not to remove it. I'm not seriously suffering from that actually :) Most of reporters fill the issue form as intended.

Anyway, you changes to the issue form LGTM.

[datiscum]

Please specify the size limit of Github with 10MByte in the text, otherwise it is like me, that everything is ready and a 20MByte video can not be uploaded. Unfortunately, I was only told this when I wanted to upload it to Github. 10 MByte is really little, but if I had known the limit, I could have kept to it.

[matt335672]

@datiscum - the 10Mb limit is already mentioned in the text. Do you think it could be better worded?

[datiscum]

The limit of 10Mbyte could be emphasized a bit more. I don't have a Youtube account and wouldn't set it up for that reason.