You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@allura.apache.org by br...@apache.org on 2015/10/26 17:00:50 UTC
allura git commit: [#8011] only serve some image types directly
Repository: allura
Updated Branches:
refs/heads/db/8011 [created] 232fafe78
[#8011] only serve some image types directly
Project: http://git-wip-us.apache.org/repos/asf/allura/repo
Commit: http://git-wip-us.apache.org/repos/asf/allura/commit/232fafe7
Tree: http://git-wip-us.apache.org/repos/asf/allura/tree/232fafe7
Diff: http://git-wip-us.apache.org/repos/asf/allura/diff/232fafe7
Branch: refs/heads/db/8011
Commit: 232fafe78bc929c391cd797e44cee4431c813c47
Parents: ddcee91
Author: Dave Brondsema <da...@brondsema.net>
Authored: Mon Oct 26 16:00:35 2015 +0000
Committer: Dave Brondsema <da...@brondsema.net>
Committed: Mon Oct 26 16:00:35 2015 +0000
----------------------------------------------------------------------
Allura/allura/controllers/attachments.py | 13 ++++++++++++-
Allura/allura/tests/functional/test_discuss.py | 18 ++++++++++++++++++
2 files changed, 30 insertions(+), 1 deletion(-)
----------------------------------------------------------------------
http://git-wip-us.apache.org/repos/asf/allura/blob/232fafe7/Allura/allura/controllers/attachments.py
----------------------------------------------------------------------
diff --git a/Allura/allura/controllers/attachments.py b/Allura/allura/controllers/attachments.py
index da25767..cf40fee 100644
--- a/Allura/allura/controllers/attachments.py
+++ b/Allura/allura/controllers/attachments.py
@@ -25,6 +25,17 @@ from allura.lib.security import require_access
from .base import BaseController
+# text/html, script, flash, image/svg+xml, etc are NOT secure to display directly in the browser
+SAFE_CONTENT_TYPES = (
+ 'image/png', 'image/x-png',
+ 'image/jpeg', 'image/pjpeg', 'image/jpg',
+ 'image/gif',
+ 'image/bmp',
+ 'image/tiff',
+ 'image/x-icon',
+)
+
+
class AttachmentsController(BaseController):
AttachmentControllerClass = None
@@ -91,7 +102,7 @@ class AttachmentController(BaseController):
if self.artifact.deleted:
raise exc.HTTPNotFound
embed = False
- if self.attachment.content_type and self.attachment.content_type.startswith('image/'):
+ if self.attachment.content_type and self.attachment.content_type in SAFE_CONTENT_TYPES:
embed = True
return self.attachment.serve(embed=embed)
http://git-wip-us.apache.org/repos/asf/allura/blob/232fafe7/Allura/allura/tests/functional/test_discuss.py
----------------------------------------------------------------------
diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index f5e5b05..bea0f95 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py
@@ -273,11 +273,29 @@ class TestAttachment(TestDiscussBase):
assert '<div class="attachment_thumb">' in r
alink = self.attach_link()
r = self.app.get(alink)
+ assert r.content_type == 'text/plain'
assert r.content_disposition == 'attachment;filename="test.txt"', 'Attachments should force download'
r = self.app.post(self.post_link + 'attach',
upload_files=[('file_info', 'test.o12', 'HiThere!')])
r = self.app.post(alink, params=dict(delete='on'))
+ def test_attach_svg(self):
+ r = self.app.post(self.post_link + 'attach',
+ upload_files=[('file_info', 'test.svg', '<svg onclick="prompt(document.domain)"></svg>')])
+ alink = self.attach_link()
+ r = self.app.get(alink)
+ assert r.content_type == 'image/svg+xml'
+ assert r.content_disposition == 'attachment;filename="test.svg"', 'Attachments should force download'
+
+ def test_attach_img(self):
+ r = self.app.post(self.post_link + 'attach',
+ upload_files=[('file_info', 'handtinyblack.gif',
+ 'GIF89a\x01\x00\x01\x00\x00\xff\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x00;')])
+ alink = self.attach_link()
+ r = self.app.get(alink)
+ assert r.content_type == 'image/gif'
+ assert r.content_disposition is None
+
@patch('allura.model.discuss.Post.notify')
def test_reply_attach(self, notify):
notify.return_value = True