Page MenuHomePhorge

D25464.1737323030.diff
No OneTemporary

D25464.1737323030.diff

diff --git a/src/applications/files/config/PhabricatorFilesConfigOptions.php b/src/applications/files/config/PhabricatorFilesConfigOptions.php
--- a/src/applications/files/config/PhabricatorFilesConfigOptions.php
+++ b/src/applications/files/config/PhabricatorFilesConfigOptions.php
@@ -134,9 +134,11 @@
->setDescription(
pht(
"Configure which uploaded file types may be viewed directly ".
- "in the browser. Other file types will be downloaded instead ".
- "of displayed. This is mainly a usability consideration, since ".
- "browsers tend to freak out when viewing very large binary files.".
+ "in the browser. Other types will be downloaded instead of ".
+ "displayed. This is a usability and security consideration, ".
+ "since browsers tend to freak out when viewing very large ".
+ "binary files, and some types may be vulnerable to XSS attacks ".
+ "when viewed in a browser.".
"\n\n".
"The keys in this map are viewable MIME types; the values are ".
"the MIME types they are delivered as when they are viewed in ".
diff --git a/src/applications/files/document/PhabricatorPDFDocumentEngine.php b/src/applications/files/document/PhabricatorPDFDocumentEngine.php
--- a/src/applications/files/document/PhabricatorPDFDocumentEngine.php
+++ b/src/applications/files/document/PhabricatorPDFDocumentEngine.php
@@ -14,14 +14,16 @@
}
protected function canRenderDocumentType(PhabricatorDocumentRef $ref) {
- // Since we just render a link to the document anyway, we don't need to
- // check anything fancy in config to see if the MIME type is actually
- // viewable.
+ $viewable_types = PhabricatorEnv::getEnvConfig('files.viewable-mime-types');
+ $viewable_types = array_keys($viewable_types);
- return $ref->hasAnyMimeType(
- array(
- 'application/pdf',
- ));
+ $pdf_types = array(
+ 'application/pdf',
+ );
+
+ return
+ $ref->hasAnyMimeType($viewable_types) &&
+ $ref->hasAnyMimeType($pdf_types);
}
protected function newDocumentContent(PhabricatorDocumentRef $ref) {

File Metadata

Mime Type
text/plain
Expires
Sun, Jan 19, 21:43 (12 h, 47 m)
Storage Engine
blob
Storage Format
Raw Data
Storage Handle
1112736
Default Alt Text
D25464.1737323030.diff (2 KB)

Event Timeline