Patch #3770
closedtext/html documents force currently firefox to open download dialog
0%
Description
In our redmine installation, we use attach HTML documentation files under project Documentation section (such as asciidoc-generated html code). The problem is, redmine currently forces Firefox browser to open the download dialog instead to open HTML inline in the browser.
As far I traced this down, this is due to setting the Content-Disposition flag to "attachment" by redmine. I could fix this by adding test for is_text mimetype in in attachments_controller.rb:
---snip---def download
if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
@attachment.increment_download
end
- :disposition => (@attachment.image? ? 'inline' : 'attachment')
:disposition => ((@attachment.image? || @attachment.is_text?) ? 'inline' : 'attachment')
end
---snip---
- images are sent inline
send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
:type => @attachment.content_type,
However, I think this should be handled more in general since there might be pretty much other mimetypes where this is a problem as well.
Files
Related issues
Updated by Sam Kvasnica about 14 years ago
2nd try:
In our redmine installation, we attach HTML documentation files under project Documentation section (such as asciidoc-generated html code). The problem is, redmine currently forces Firefox browser to open the download dialog instead to open HTML inline in the browser.
As far I traced this down, this is due to setting the Content-Disposition flag to "attachment" by redmine. I could fix this by adding test for is_text mimetype in in attachments_controller.rb:
@ ---snip---
def download
if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
@attachment.increment_download
end
- images are sent inline
send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
:type => @attachment.content_type, - :disposition => (@attachment.image? ? 'inline' : 'attachment')
:disposition => ((@attachment.image? || @attachment.is_text?) ? 'inline' : 'attachment')
end
---snip---
@
However, I think this should be handled more in general since there might be pretty much other mimetypes where this is a problem as well.
Updated by Sam Kvasnica about 14 years ago
3rd try as attachment: verbatim code does not seem to work really...
Updated by Holger Just 9 months ago
- Status changed from New to Closed
Closing as Won't fix.
Downloading raw attachments (even more so with a user-chosable mime-type) would be a huge security issue as it could result in XSS and other vulnerabilities. As such, we have tightened this even more since.