Project

General

Profile

Actions
Copy link

Patch #3770

closed

text/html documents force currently firefox to open download dialog

Added by Sam Kvasnica about 14 years ago. Updated 9 months ago.

Status:
Closed
Priority:
Normal
Assignee:
-
Category:
Attachments
Target version:
-
Start date:
2009-08-23
Due date:
% Done:

0%

Estimated time:

Description

In our redmine installation, we use attach HTML documentation files under project Documentation section (such as asciidoc-generated html code). The problem is, redmine currently forces Firefox browser to open the download dialog instead to open HTML inline in the browser.

As far I traced this down, this is due to setting the Content-Disposition flag to "attachment" by redmine. I could fix this by adding test for is_text mimetype in in attachments_controller.rb:

---snip---
def download
if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
@attachment.increment_download
end
  1. :disposition => (@attachment.image? ? 'inline' : 'attachment')
    :disposition => ((@attachment.image? || @attachment.is_text?) ? 'inline' : 'attachment')
    end
    ---snip---
  1. images are sent inline
    send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
    :type => @attachment.content_type,

However, I think this should be handled more in general since there might be pretty much other mimetypes where this is a problem as well.

Files

aaa (584 Bytes) aaa attachments_controller.rb fix Sam Kvasnica, 2009-08-23 13:38

Related issues

Related to Redmine - Defect #6256: Redmine considers non ASCII and UTF-16 text files as binary in SCMClosedToshi MARUYAMA2010-08-31

Actions
Related to Redmine - Feature #2209: MIME type support for repository EntriesClosed2008-11-17

Actions
Actions
Copy link
 #1

Updated by Sam Kvasnica about 14 years ago

2nd try:

In our redmine installation, we attach HTML documentation files under project Documentation section (such as asciidoc-generated html code). The problem is, redmine currently forces Firefox browser to open the download dialog instead to open HTML inline in the browser.

As far I traced this down, this is due to setting the Content-Disposition flag to "attachment" by redmine. I could fix this by adding test for is_text mimetype in in attachments_controller.rb:

@ ---snip---
def download
if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
@attachment.increment_download
end

  1. images are sent inline
    send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
    :type => @attachment.content_type,
  2. :disposition => (@attachment.image? ? 'inline' : 'attachment')
    :disposition => ((@attachment.image? || @attachment.is_text?) ? 'inline' : 'attachment')
    end
---snip---
@ 
However, I think this should be handled more in general since there might be pretty much other mimetypes where this is a problem as well.
Actions
Copy link
 #2

Updated by Sam Kvasnica about 14 years ago

3rd try as attachment: verbatim code does not seem to work really...

Actions
Copy link
 #3

Updated by Toshi MARUYAMA over 12 years ago

  • Category set to Attachments
Actions
Copy link
 #4

Updated by Holger Just 9 months ago

  • Status changed from New to Closed

Closing as Won't fix.

Downloading raw attachments (even more so with a user-chosable mime-type) would be a huge security issue as it could result in XSS and other vulnerabilities. As such, we have tightened this even more since.

Actions
Copy link

Also available in: Atom PDF