Page MenuHomePhorge
Files F2504578

D25464.1726901075.diff
No OneTemporary
Actions

D25464.1726901075.diff
View Options

diff --git a/src/applications/files/config/PhabricatorFilesConfigOptions.php b/src/applications/files/config/PhabricatorFilesConfigOptions.php
--- a/src/applications/files/config/PhabricatorFilesConfigOptions.php
+++ b/src/applications/files/config/PhabricatorFilesConfigOptions.php
@@ -135,8 +135,9 @@
pht(
"Configure which uploaded file types may be viewed directly ".
"in the browser. Other file types will be downloaded instead ".
- "of displayed. This is mainly a usability consideration, since ".
- "browsers tend to freak out when viewing very large binary files.".
+ "of displayed. This is a usability and security consideration, ".
+ "since browsers tend to freak out when viewing very large ".
+ "binary files, and some file types are vulnerable to XSS attacks.".
"\n\n".
"The keys in this map are viewable MIME types; the values are ".
"the MIME types they are delivered as when they are viewed in ".
diff --git a/src/applications/files/document/PhabricatorPDFDocumentEngine.php b/src/applications/files/document/PhabricatorPDFDocumentEngine.php
--- a/src/applications/files/document/PhabricatorPDFDocumentEngine.php
+++ b/src/applications/files/document/PhabricatorPDFDocumentEngine.php
@@ -14,14 +14,16 @@
}
protected function canRenderDocumentType(PhabricatorDocumentRef $ref) {
- // Since we just render a link to the document anyway, we don't need to
- // check anything fancy in config to see if the MIME type is actually
- // viewable.
+ $viewable_types = PhabricatorEnv::getEnvConfig('files.viewable-mime-types');
+ $viewable_types = array_keys($viewable_types);
- return $ref->hasAnyMimeType(
- array(
- 'application/pdf',
- ));
+ $pdf_types = array(
+ 'application/pdf',
+ );
+
+ return
+ $ref->hasAnyMimeType($viewable_types) &&
+ $ref->hasAnyMimeType($pdf_types);
}
protected function newDocumentContent(PhabricatorDocumentRef $ref) {

File Metadata

Mime Type
text/plain
Expires
Sat, Sep 21, 06:44 (21 h, 14 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
893698
Default Alt Text
D25464.1726901075.diff (2 KB)

Event Timeline

Content licensed under Creative Commons Attribution-ShareAlike 4.0 (CC-BY-SA) unless otherwise noted; code licensed under Apache 2.0 or other open source licenses. · CC BY-SA 4.0 · Apache 2.0