#4277 Attachments of content-type image/* should be displayed inline

forge-jun-29
closed
Jenny Steele
v2 (55)
General
2
2012-06-28
2012-05-24
Dave Brondsema
No

It is safe to show image attachments directly, rather than serving them as downloads (like we must do for everything else, for security)

Related

Tickets: #4431
Tickets: #4484
Tickets: #4520
Tickets: #4537

Discussion

1 2 > >> (Page 1 of 2)
  • Jenny Steele
    Jenny Steele
    2012-06-18

    On allura js/4277. To test, attach both an image and a non-image file to an artifact (should work for tickets, wiki pages, discussion posts, etc the same). Clicking the image should display the image full-size, but clicking the non-image will prompt a download.

     
  • Dave Brondsema
    Dave Brondsema
    2012-06-25

    This isn't secure enough. If I upload an HTML attachment and then (directly in mongo) update the content type to text/html/image/ then the attachment will be displayed inline, and Firefox does show it as regular HTML. This is possible since we currently trust user-provided content types.

    • we should only do inline display of content types that start with image/
    • we should have a new ticket to not trust user-provided content types at all (the attach() method calls, and mail_tasks.py / handle_message() )
     
    • Dave Brondsema
      Dave Brondsema
      2012-06-25

      Actually that is not the problem (although I think it's still safer to do a startswith check). The problem is that self.content_type is used to to the check, but serve() in filesystem.py uses the GridFS fp content_type. We need to check the same value. Offhand, I'm not sure which is best.

       
      Last edit: Dave Brondsema 2012-06-25
1 2 > >> (Page 1 of 2)


Anonymous


Cancel   Add attachments