Closed Bug 1538383 Opened 2 years ago Closed 2 years ago

Allow to hide inline preview when attaching a file, e.g. SVG crashtests.

Categories

(bugzilla.mozilla.org :: User Interface, enhancement)

Staging
enhancement
Not set
normal

Tracking

()

RESOLVED FIXED

People

(Reporter: emilio, Assigned: kohei.yoshino)

References

Details

Attachments

(1 file)

46 bytes, text/x-github-pull-request
Details | Review

This is related to bug 1535723.

I wanted to attach a crashing SVG in bug 1531333, and I had to attach a tarball instead, because when I click the browse button and click on the SVG, Bugzilla insisted in previewing it, which of course made my browser crash :)

I personally think PoCs shouldn’t be attached directly. That kind of SVG, HTML, etc. will crash or hang the browser even without inline attachments when users click on the attachment link or preview it via the lightbox overlay. These files need to be zipped before attaching. Otherwise, the workaround being created in Bug 1535723 should be enough.

Is there is a reason to not set the mime type to application/octet-stream when the file is not meant to be previewed?

Flags: needinfo?(kohei.yoshino)

Yeah, that’s another workaround.

Flags: needinfo?(kohei.yoshino)

Should be an option when attaching something to disable preview, which sets that mime type. I think

Okay. Let’s add “Hide preview” checkbox that will change the MIME type to application/octet-stream.

Assignee: nobody → kohei.yoshino
Status: NEW → ASSIGNED
Summary: Attachment preview prevents attaching SVG crashtests. → Allow to hide inline preview when attaching a file, e.g. SVG crashtests.
Attached file GitHub Pull Request

Nah, what my PR is going solve is different from the reported issue, which happens on not on the modal bug page but on the New Attachment page, which has the preview of a file to be uploaded. Well, in that case, I’d repeat my Comment 1; any PoC should be zipped in advance.

The “Hide preview” checkbox is fine though, so I’ll keep it in the review queue.

(In reply to Kohei Yoshino [:kohei] (Bugzilla UX) (FxSiteCompat) from comment #7)

Nah, what my PR is going solve is different from the reported issue, which happens on not on the modal bug page but on the New Attachment page, which has the preview of a file to be uploaded. Well, in that case, I’d repeat my Comment 1; any PoC should be zipped in advance.

To be fair, I don't think that's acceptable. All our fuzzers already attach HTML files to bugzilla, and there's value in being able to debug a test-case just opening it from bugzilla rather than having to download, unzip it, serve it locally, and run.

I’m still not sure how people are comfortable opening a crash-y image or HTML file directly in the browser without seeing the source, probably not in a sandbox environment. Clever developers may right-click the link to save it locally, but Bugzilla is open to everyone, so I think such a practice needs to be changed.

Anyway, all I have to do here is preventing SVG images from being previewed. Certain GIF, PNG, JPEG and WebP files may also lead to a crash or hang, but those are generally safer than SVG.

Merged to master.

Status: ASSIGNED → RESOLVED
Closed: 2 years ago
Resolution: --- → FIXED
See Also: → 1547714
You need to log in before you can comment on or make changes to this bug.