Use a better content type for attachments created with application/octet-stream
|Assignee:||Jean-Philippe Lang||% Done:|
Some email clients will always send attachments with a mime-type of
application/octet-stream instead of correctly setting the attachment of the mime-type. We are aware of Outlook 15 showing this behaviour, but it might not be the only one.
This is a problem in the case where the front-end web server behind which Redmine runs sends the
X-Content-Type-Options: nosniff header, which stops the browser from trying to guess the mime type of files the server sends it (this header is set on the Planio platform for security reasons).
- Redmine blindly trusts the mime-type set by the email client source:/branches/2.6-stable/app/models/mail_handler.rb#L276
- This mime-type gets stored to the DB
- And is served back as the Content-Type of the corresponding thumbnail source:/branches/2.6-stable/app/controllers/attachments_controller.rb#L63
- The browser tries to fetch the thumbnail but gets a file with the Content-Type set to
application/octet-stream, which isn't considered an image and a broken link/broken image is shown.
#1 Updated by Felix Schäfer about 3 years ago
- File 19131.patch added
The attached patch tries to better guess the mime type of attachments incoming via email if the mime-type of the attachment is set to
If this is an acceptable solution, I would also add a migration to try to find a better mime type than
application/octet-stream for existing attachments with that content type.
#5 Updated by Jean-Philippe Lang about 3 years ago
Index: app/controllers/attachments_controller.rb =================================================================== --- app/controllers/attachments_controller.rb (revision 13994) +++ app/controllers/attachments_controller.rb (working copy) @@ -183,7 +183,7 @@ def detect_content_type(attachment) content_type = attachment.content_type - if content_type.blank? + if content_type.blank? || content_type == "application/octet-stream" content_type = Redmine::MimeType.of(attachment.filename) end content_type.to_s
#6 Updated by Felix Schäfer about 3 years ago
This is in fact exactly what we have done for Planio until we had worked out a solution here. I had thought the create-time guessing better as this would have to be done only once for each attachment, but that works well too and avoids additional migrations.
#7 Updated by Toshi MARUYAMA about 3 years ago
OpenProject (GPL3) uses another approach of attachment detection.
#9 Updated by Jean-Philippe Lang about 3 years ago
- Tracker changed from Defect to Feature
- Subject changed from Don't trust MUAs to always set the correct mime-type for attachments to Use a better content type for attachments created with application/octet-stream
- Status changed from New to Resolved
- Assignee set to Jean-Philippe Lang
- Target version set to 3.0.0
- Resolution set to Fixed
Change committed in r14034.