summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2015-05-14 15:05:09 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2015-05-14 15:05:09 +0200
commitbd4bfe35ac0c3c7808bedf99a9f6c68b16ec215b (patch)
treed888a5f6593fb0e6b32515a064b37b6b59ced0ff
parent8ff02d6ac19a2a0bc99e2d5c5a0d0cb101c52f45 (diff)
downloadbugzilla-bd4bfe35ac0c3c7808bedf99a9f6c68b16ec215b.tar.gz
bugzilla-bd4bfe35ac0c3c7808bedf99a9f6c68b16ec215b.tar.xz
Bug 1160809: Validate the MIME type before uploading attachments
r=dkl a=glob
-rw-r--r--template/en/default/attachment/createformcontents.html.tmpl3
-rw-r--r--template/en/default/attachment/edit.html.tmpl7
2 files changed, 8 insertions, 2 deletions
diff --git a/template/en/default/attachment/createformcontents.html.tmpl b/template/en/default/attachment/createformcontents.html.tmpl
index 48e4f4af0..293fc3d92 100644
--- a/template/en/default/attachment/createformcontents.html.tmpl
+++ b/template/en/default/attachment/createformcontents.html.tmpl
@@ -68,6 +68,9 @@
<label for="manual">enter manually</label>:
<input type="text" name="contenttypeentry" id="contenttypeentry"
size="30" maxlength="200"
+ pattern="([% constants.LEGAL_CONTENT_TYPES.join('|') FILTER html %])/.+"
+ title="The content type must be of the form 'type/subtype', where 'type'
+ is one of: [% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]"
onchange="if (this.value) this.form.contenttypemethod[2].checked = true;">
</td>
</tr>
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index b6f612f3f..092f3e76a 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -94,9 +94,12 @@
<label for="contenttypeentry">MIME Type:</label>
<input type="text" size="20" class="text block[% editable_or_hide %]"
id="contenttypeentry" name="contenttypeentry"
- value="[% attachment.contenttype FILTER html %]">
+ pattern="([% constants.LEGAL_CONTENT_TYPES.join('|') FILTER html %])/.+"
+ title="The content type must be of the form 'type/subtype', where 'type'
+ is one of: [% constants.LEGAL_CONTENT_TYPES.join(', ') FILTER html %]"
+ value="[% attachment.contenttype FILTER html %]">
</div>
-
+
<div id="attachment_creator">
<span class="label">Creator:</span>
[%+ INCLUDE global/user.html.tmpl who = attachment.attacher %]