[#8011] only serve some image types directly
diff --git a/Allura/allura/controllers/attachments.py b/Allura/allura/controllers/attachments.py
index da25767..cf40fee 100644
--- a/Allura/allura/controllers/attachments.py
+++ b/Allura/allura/controllers/attachments.py
@@ -25,6 +25,17 @@
from .base import BaseController
+# text/html, script, flash, image/svg+xml, etc are NOT secure to display directly in the browser
+SAFE_CONTENT_TYPES = (
+ 'image/png', 'image/x-png',
+ 'image/jpeg', 'image/pjpeg', 'image/jpg',
+ 'image/gif',
+ 'image/bmp',
+ 'image/tiff',
+ 'image/x-icon',
+)
+
+
class AttachmentsController(BaseController):
AttachmentControllerClass = None
@@ -91,7 +102,7 @@
if self.artifact.deleted:
raise exc.HTTPNotFound
embed = False
- if self.attachment.content_type and self.attachment.content_type.startswith('image/'):
+ if self.attachment.content_type and self.attachment.content_type in SAFE_CONTENT_TYPES:
embed = True
return self.attachment.serve(embed=embed)
diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index f5e5b05..bea0f95 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py
@@ -273,11 +273,29 @@
assert '<div class="attachment_thumb">' in r
alink = self.attach_link()
r = self.app.get(alink)
+ assert r.content_type == 'text/plain'
assert r.content_disposition == 'attachment;filename="test.txt"', 'Attachments should force download'
r = self.app.post(self.post_link + 'attach',
upload_files=[('file_info', 'test.o12', 'HiThere!')])
r = self.app.post(alink, params=dict(delete='on'))
+ def test_attach_svg(self):
+ r = self.app.post(self.post_link + 'attach',
+ upload_files=[('file_info', 'test.svg', '<svg onclick="prompt(document.domain)"></svg>')])
+ alink = self.attach_link()
+ r = self.app.get(alink)
+ assert r.content_type == 'image/svg+xml'
+ assert r.content_disposition == 'attachment;filename="test.svg"', 'Attachments should force download'
+
+ def test_attach_img(self):
+ r = self.app.post(self.post_link + 'attach',
+ upload_files=[('file_info', 'handtinyblack.gif',
+ 'GIF89a\x01\x00\x01\x00\x00\xff\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x00;')])
+ alink = self.attach_link()
+ r = self.app.get(alink)
+ assert r.content_type == 'image/gif'
+ assert r.content_disposition is None
+
@patch('allura.model.discuss.Post.notify')
def test_reply_attach(self, notify):
notify.return_value = True