Open Bug 549182 Opened 15 years ago Updated 10 years ago

text/plain attachments should display inline even with allow_attachment_display=no

Categories

(Bugzilla :: Attachments & Requests, enhancement)

Product:
Bugzilla
Component:
Attachments & Requests
Version:
3.4.5
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
REOPENED

People

(Reporter: jyasskin, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_8; en-US) AppleWebKit/533.1 (KHTML, like Gecko) Chrome/5.0.335.0 Safari/533.1
Build Identifier: 3.4.5 

text/plain files don't run Javascript in most browsers, so they're not an XSS risk like http://www.bugzilla.org/security/2.22.6/ describes. It should be safe to allow them to display inline.

Reproducible: Always
OS: Mac OS X → All
Hardware: x86 → All
I think IE has non-standard autonegotiation schemes that the files which include javascript or html strings will be treated as .js or .html whenever the server says as test/plain.
So, there ARE some risk.
Wontfix per our long discussion in bug 38862, e.g. bug 38862 comment 138.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → WONTFIX
Version: unspecified → 3.4.5
Thanks for the reply. Insecure browsers strike again.

I guess the right fix will be something browser-side like http://code.google.com/p/chromium/issues/detail?id=24675.
Would upstream reconsider this if we specifically excluded MSIE browsers? Red Hat currently have a some code that does this (which has been running longer than this bug) without any issue. We would like to get it upstreamed.
Flags: needinfo?(justdave)
It would probably also be safe to display (even in those other browsers) if instead of just dumping the text/plain to the browser, we make it text/html on purpose and html escape the entire document.  We could probably add a line at the top saying it's been processed for display in the browser and add a link to get the raw version if you really want it (which does the disposition:attachment to make it download).  For backward compatibility we should probably make the existing urls get the raw version and add a param to indicate the parsed version to all the links in the UI.

Reopening the bug for now just to get some discussion.  Maybe it'll get WONTFIXed again, but we should probably talk about it again in light of new ideas before leaving it killed.
Status: RESOLVED → REOPENED
Ever confirmed: true
Flags: needinfo?(justdave)
Resolution: WONTFIX → ---
I think the above is a backwards step. Either we show it or we don't. The other bug mentioned in comment #2 was TL;DR, but my understanding is that MSIE is the only browser that doesn't display text/plain as text/plain, and for the minority of people that still use it (both bmo and brc have very low IE usage), they should get text/plain as a download only.

OTOH, the vast majority of people that use Chrom*, Fx, Opera, etc would get a productivity improvement by displaying text/plain documents inline.

My 2¢ worth at least.
You need to log in before you can comment on or make changes to this bug.