-
Notifications
You must be signed in to change notification settings - Fork 260
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Element Windows lets Python, PHP, EXE scripts execute with no warning #1818
Comments
I tested with a downloaded Once downloaded both files indeed show as untrusted in Properties, but clicking the Open button in Element starts the .exe as well as the .pyz without asking for further confirmation. Windows 22H2 Considering other apps like Telegram and WhatsApp give a warning before opening such files, I think a similar warning message in Element about potential danger before opening certain file types, or even preventing access alltogether from within Element would be good. Telegram seems to have added python scripts to their blacklist according to this: |
Did you tested this by sending Here's what happens if you send something Windows/Microsoft don't already know about: |
I think Element does the right thing from a technical point of view. Would adding some warning text in the veil of "open the file only if you trust the sender" help somehow? |
Another option would be not to let the Element application directly open files at all. |
I agree that technically the "fault" is not with Element. But the behavior of other apps of giving warnings before opening risky files is sensible when dealing with this. I like bestrocker221's proposal of simply opening the containing folder instead of the file directly, this completely bypasses the problem, and is what the user will have to do anyway if the file were to be on a blacklist. |
Steps to reproduce
Similar to WhatsApp & Telegram for Windows , I beleive this issue applies on Element as well.
https://www.bleepingcomputer.com/news/security/whatsapp-for-windows-lets-python-php-scripts-execute-with-no-warning/
Element Windows allows sending Python , PHP and EXE attachments that are executed without any warning when the recipient opens them.
Outcome
Several solutions can be considered:
etc
Operating system
Windows
Application version
No response
How did you install the app?
No response
Homeserver
No response
Will you send logs?
No
The text was updated successfully, but these errors were encountered: