Binary load fails with General Script Error when using app binary instead of .qvf

So this has been an option for as long as Qlik Sense has been on the market. Even though we do not use binary load as best practice there are a lot of our customers using this method. The fix at the moment we consider is running a powershell script exporting the apps we previously binary loaded from. Would you have any other recommendations @Sonja_Bauernfeind and @Andre_Sostizzo ? 

Hello @_Anders_ , @LeeSmithBtn , @luciano_pw 

I'm reaching out internally to have the right subject matter expert eyes on this for you. 

I have also corrected the typo in the example, which was meant to reference a .qvf, not a .qvd.

All the best,
Sonja

There should be a flag override that allows you to disable this security feature at a minimum so the risk Qlik is mentioning can be assessed and either accepted or rejected by individual companies, especially those that have come to rely heavily on this feature over many many years and complex deployments.

Separately, I would appreciate a more detailed, technical explanation of how making the binary connection to the qvf is more secure than connecting to the app binary.  How are companies really meant to make large scale architectural decisions in some cases without understanding how qvf connections are more secure than what they were doing before?

Hello @ericschmid 

This feedback is great, thank you! Could you log this as an idea in our Ideation section? I have already passed it on, but Ideation is the correct place to have it properly documented and available for voting and feedback from others.

@_Anders_ @mlee and @lucy 

I've updated the article after discussing it with our experts. In addition, here is general advice given by one of them:

It was always best practice not to binary load from the app folder, and Qlik Services would suggest a process to copy apps to a separate folder and append the .qvf extension to it. Services previously implemented solutions such as not only appending the .qvf extension, but to renaming the app to an English name, making it easier to work with from a development perspective.

We understand this is not an easy undertaking.

Referring back to @ericschmid; I recommend voting on Eric's idea and leaving your feedback on it accordingly.

All the best,
Sonja

hi @ericschmid :

please find attached some instructions left on linkedin regarding this issue that i raised on there to a very wide audience raising this issue... 

however someone came back with a workaround, by changing some settings, that has fixed the issue and allows binary load as per previously was. not sure why this is not being mentioned by anyone in support. but i assume its because at your own risk.... 

https://www.linkedin.com/feed/update/urn:li:activity:7339231435372847104?commentUrn=urn%3Ali%3Acomme...

basically this: 
1.stop services
2.please tray to disable the security feature it in the engine's system.ini located C:\ProgramData\Qlik\Sense\Engine with

[Settings 7]
EnableQvfPathValidation=0


also mentioned here under point QB-29696:

https://community.qlik.com/t5/Release-Notes/Sense-Enterprise-on-Windows-release-notes-November-2024-...

Fixed security issue where Engine would try to read and write to any path specified against Engine API. Solution of the fix adds path restrictions (with whitelisted folders) on e.g. OpenDoc and ExportApp, and restrictions to how relative paths are used in folder connections and lib references in the script. Relative paths should not be allowed to point outside of the scope set. It's not recommended to disable this fix, but can be disabled in case of emergency. To disable the fix, you need to add EnableQvfPathValidation=0 into Engine's Settings.ini file.

hopefully this helps, until feature is also removed.