Defect #25282
closed
Explanation for attachment change in r16285
0%
Description
I'm looking at the 3.2 branch and there was a backport made (r16285) on 1/29/17 that changed images to be sent to the browser as attachments instead of inline. I'm not able to access the issue that's referenced in the commit (#24199). The comment in app/controllers/attachment_controller.rb:download still reads "images are sent inline".
Can someone offer an explanation as to why this change was made?
Thanks!
Updated by James Moore over 7 years ago
Just to followup, we consider this a regression and have reverted the change locally.
Updated by Jean-Philippe Lang over 7 years ago
r16285 fixes a not yet disclosed XSS vulnerability based on a specific file format. We'll see if we can restore the previous behaviour for file formats that cannot cause this problem.
Updated by James Moore over 7 years ago
- Status changed from New to Resolved
Thanks, that's helpful to know.
Updated by Maximilian Rüdiger over 7 years ago
Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .
Perhaps it would be an idea to make it configurable in admin settings (some colleagues prefer pdf as attachment)
the behaviour change would be an easy patch, the settings stuff would require some deeper research for me on redmine internals.
Updated by Go MAEDA over 7 years ago
- Status changed from Resolved to Needs feedback
Maximilian Rüdiger wrote:
Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .
Default behavior when clicking a file link has been changed to preview in Redmine 3.4.0 (#25988). I think that the inconvenience you are experiencing has been resolved by the change.
Could you test with Redmine 3.4?
Updated by Go MAEDA over 6 years ago
- Status changed from Needs feedback to Closed
I think the new preview feature introduced in Redmine 3.4 (#25988) has resolved this issue.