Defect #25282
closed
Explanation for attachment change in r16285
Added by James Moore over 7 years ago.
Updated over 6 years ago.
Description
I'm looking at the 3.2 branch and there was a backport made (r16285) on 1/29/17 that changed images to be sent to the browser as attachments instead of inline. I'm not able to access the issue that's referenced in the commit (#24199). The comment in app/controllers/attachment_controller.rb:download still reads "images are sent inline".
Can someone offer an explanation as to why this change was made?
Thanks!
Just to followup, we consider this a regression and have reverted the change locally.
r16285 fixes a not yet disclosed XSS vulnerability based on a specific file format. We'll see if we can restore the previous behaviour for file formats that cannot cause this problem.
- Status changed from New to Resolved
Thanks, that's helpful to know.
Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .
Perhaps it would be an idea to make it configurable in admin settings (some colleagues prefer pdf as attachment)
the behaviour change would be an easy patch, the settings stuff would require some deeper research for me on redmine internals.
- Status changed from Resolved to Needs feedback
Maximilian Rüdiger wrote:
Wouldn't it be easy to just display everything thats not svg inline?
right now the behaviour is "everything that is not pdf -> attachment" .
Default behavior when clicking a file link has been changed to preview in Redmine 3.4.0 (#25988). I think that the inconvenience you are experiencing has been resolved by the change.
Could you test with Redmine 3.4?
- Status changed from Needs feedback to Closed
I think the new preview feature introduced in Redmine 3.4 (#25988) has resolved this issue.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by