Google Git
Sign in
apache / allura / refs/heads/db/8011^! / .
commit232fafe78bc929c391cd797e44cee4431c813c47[log] [tgz]
authorDave Brondsema <dave@brondsema.net>Mon Oct 26 16:00:35 2015 +0000
committerDave Brondsema <dave@brondsema.net>Mon Oct 26 16:00:35 2015 +0000
tree2690ec2f4363e43366fd0ece257c33a0f8770275
parentddcee91ca82c96574f94cc58cb610f49158b4e02 [diff]
[#8011] only serve some image types directly

diff --git a/Allura/allura/controllers/attachments.py b/Allura/allura/controllers/attachments.py
index da25767..cf40fee 100644
--- a/Allura/allura/controllers/attachments.py
+++ b/Allura/allura/controllers/attachments.py

@@ -25,6 +25,17 @@
 from .base import BaseController
 
 
+# text/html, script, flash, image/svg+xml, etc are NOT secure to display directly in the browser
+SAFE_CONTENT_TYPES = (
+    'image/png', 'image/x-png',
+    'image/jpeg', 'image/pjpeg', 'image/jpg',
+    'image/gif',
+    'image/bmp',
+    'image/tiff',
+    'image/x-icon',
+)
+
+
 class AttachmentsController(BaseController):
     AttachmentControllerClass = None
 
@@ -91,7 +102,7 @@
         if self.artifact.deleted:
             raise exc.HTTPNotFound
         embed = False
-        if self.attachment.content_type and self.attachment.content_type.startswith('image/'):
+        if self.attachment.content_type and self.attachment.content_type in SAFE_CONTENT_TYPES:
             embed = True
         return self.attachment.serve(embed=embed)
 

diff --git a/Allura/allura/tests/functional/test_discuss.py b/Allura/allura/tests/functional/test_discuss.py
index f5e5b05..bea0f95 100644
--- a/Allura/allura/tests/functional/test_discuss.py
+++ b/Allura/allura/tests/functional/test_discuss.py

@@ -273,11 +273,29 @@
         assert '<div class="attachment_thumb">' in r
         alink = self.attach_link()
         r = self.app.get(alink)
+        assert r.content_type == 'text/plain'
         assert r.content_disposition == 'attachment;filename="test.txt"', 'Attachments should force download'
         r = self.app.post(self.post_link + 'attach',
                           upload_files=[('file_info', 'test.o12', 'HiThere!')])
         r = self.app.post(alink, params=dict(delete='on'))
 
+    def test_attach_svg(self):
+        r = self.app.post(self.post_link + 'attach',
+                          upload_files=[('file_info', 'test.svg', '<svg onclick="prompt(document.domain)"></svg>')])
+        alink = self.attach_link()
+        r = self.app.get(alink)
+        assert r.content_type == 'image/svg+xml'
+        assert r.content_disposition == 'attachment;filename="test.svg"', 'Attachments should force download'
+
+    def test_attach_img(self):
+        r = self.app.post(self.post_link + 'attach',
+                          upload_files=[('file_info', 'handtinyblack.gif',
+                                         'GIF89a\x01\x00\x01\x00\x00\xff\x00,\x00\x00\x00\x00\x01\x00\x01\x00\x00\x02\x00;')])
+        alink = self.attach_link()
+        r = self.app.get(alink)
+        assert r.content_type == 'image/gif'
+        assert r.content_disposition is None
+
     @patch('allura.model.discuss.Post.notify')
     def test_reply_attach(self, notify):
         notify.return_value = True