Defect #25282

Explanation for attachment change in r16285

Added by James Moore over 5 years ago. Updated almost 4 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:-% Done:

0%

Category:Attachments
Target version:-
Resolution: Affected version:3.2.5

Description

I'm looking at the 3.2 branch and there was a backport made (r16285) on 1/29/17 that changed images to be sent to the browser as attachments instead of inline. I'm not able to access the issue that's referenced in the commit (#24199). The comment in app/controllers/attachment_controller.rb:download still reads "images are sent inline".

Can someone offer an explanation as to why this change was made?

Thanks!

History

#1 Updated by James Moore over 5 years ago

Just to followup, we consider this a regression and have reverted the change locally.

#2 Updated by Jean-Philippe Lang over 5 years ago

r16285 fixes a not yet disclosed XSS vulnerability based on a specific file format. We'll see if we can restore the previous behaviour for file formats that cannot cause this problem.

#3 Updated by James Moore over 5 years ago

  • Status changed from New to Resolved

Thanks, that's helpful to know.

#4 Updated by Maximilian RĂ¼diger about 5 years ago

Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .
Perhaps it would be an idea to make it configurable in admin settings (some colleagues prefer pdf as attachment)

the behaviour change would be an easy patch, the settings stuff would require some deeper research for me on redmine internals.

#5 Updated by Go MAEDA almost 5 years ago

  • Status changed from Resolved to Needs feedback

Maximilian RĂ¼diger wrote:

Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .

Default behavior when clicking a file link has been changed to preview in Redmine 3.4.0 (#25988). I think that the inconvenience you are experiencing has been resolved by the change.

Could you test with Redmine 3.4?

#6 Updated by Go MAEDA almost 4 years ago

  • Status changed from Needs feedback to Closed

I think the new preview feature introduced in Redmine 3.4 (#25988) has resolved this issue.

Also available in: Atom PDF