Apache Allura™

Forge software for hosting software projects

Brought to you by: alexluberg, brondsem, ccruz, deshani, and 11 others

#4277 Attachments of content-type image/* should be displayed inline

Milestone: v1.0.0

Status: closed

Owner: Jenny Steele

Labels: v2 (44) sf-2 (994)

Component: General

Reviewer: Cory Johns

Updated: 2015-08-20

Created: 2012-05-24

Creator: Dave Brondsema

Private: No

It is safe to show image attachments directly, rather than serving them as downloads (like we must do for everything else, for security)

Discussion

Dave Brondsema - 2012-06-01

size: --> 2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2012-06-07

labels: --> v2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-18

status: open --> in-progress

assigned_to: Jenny Steele
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-18

On allura js/4277. To test, attach both an image and a non-image file to an artifact (should work for tickets, wiki pages, discussion posts, etc the same). Clicking the image should display the image full-size, but clicking the non-image will prompt a download.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-18

status: in-progress --> code-review

qa: Cory Johns
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2012-06-20

status: code-review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2012-06-25

status: closed --> in-progress
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2012-06-25

This isn't secure enough. If I upload an HTML attachment and then (directly in mongo) update the content type to text/html/image/ then the attachment will be displayed inline, and Firefox does show it as regular HTML. This is possible since we currently trust user-provided content types.

we should only do inline display of content types that start with image/

we should have a new ticket to not trust user-provided content types at all (the attach() method calls, and mail_tasks.py / handle_message() )
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Dave Brondsema - 2012-06-25

Actually that is not the problem (although I think it's still safer to do a startswith check). The problem is that self.content_type is used to to the check, but serve() in filesystem.py uses the GridFS fp content_type. We need to check the same value. Offhand, I'm not sure which is best.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-26

status: in-progress --> code-review
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-26

I made them both use self.content_type.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Cory Johns - 2012-06-27

status: code-review --> closed
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jenny Steele - 2012-06-28

Here's an example of this.

example.txt

user_icon.jpeg

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.