External sites - use of custom icons causes a security warning

[j-ed]

Affected apps

The external sites app

Expected behaviour

The external sites app shouldn't cause a security warning when custom icons have been copied to the ./apps/external/img directory and have been assigned to external site links. Additional icons in that directory should be excluded from the security check or the app should be extended to load icons from a different location which is not checked by the security function.

Actual behaviour

The external sites app causes a security warning when custom icons are copied to the ./apps/external/img directory and assigned to an external site link.

Steps to reproduce

1. Copy a new icon file to the directory ./apps/external/img
2. Open Administration -> Additional settings -> External sites
3. Assign a new icon to an external site link.
4. Install a new app etc. so that a complete security check is forced. (unfortunately I don't know if it's possible to force a check from the command line.
5. A security warning is shown because an unknown file was found in the directory:

Server configuration

Operating system: Linux 3.2.82
Web server: Apache2 2.4.23
Database: MariaDB 5.5.53
PHP version: 5.6.23
Nextcloud version: 10.0.2

Client configuration

Browser: Firefox 50.0.2
Operating system: Windows 7

Logs

No errors have been logged

[j-ed]

A possible solution would be to allow to choose an image from a location outside the official directory tree and store in the the database, similar as it is done for contacts pictures and avatars.

[moretocome]

Same issue.

Server configuration:
Operating system: Raspbian 8/4.4.38-v7+ armv7l (32 bit)
Web server: nginx/1.10.2
Database: MariaDB 10.0.29
PHP version: 7.0.15-1
Nextcloud version: 11.0.1

Client configuration:
Browser: Firefox 51.0.1
Operating system: Linux Mint 18.1

[juliusstoerrle]

This was solved by nextcloud/external#46 as this is the duplicate of nextcloud/external#5

[jancborchardt]

Closing as per @juliusstoerrle’s comment.