It is safe to show image attachments directly, rather than serving them as downloads (like we must do for everything else, for security)
On allura js/4277. To test, attach both an image and a non-image file to an artifact (should work for tickets, wiki pages, discussion posts, etc the same). Clicking the image should display the image full-size, but clicking the non-image will prompt a download.
This isn't secure enough. If I upload an HTML attachment and then (directly in mongo) update the content type to text/html/image/ then the attachment will be displayed inline, and Firefox does show it as regular HTML. This is possible since we currently trust user-provided content types.
Actually that is not the problem (although I think it's still safer to do a startswith check). The problem is that self.content_type is used to to the check, but serve() in filesystem.py uses the GridFS fp content_type. We need to check the same value. Offhand, I'm not sure which is best.
I made them both use self.content_type.
Here's an example of this.
Log in to post a comment.