Bug 472206: [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments - Patch by FrÃ©dÃ©ric Buclin <LpSolit@gmail.com> r=mkanat r=justdave a=LpSolit

author: lpsolit%gmail.com <> 2009-02-02 20:10:32 +0100
committer: lpsolit%gmail.com <> 2009-02-02 20:10:32 +0100
commit: 9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 (patch)
tree: 4b499585721720596570442514b89eb8c41ed7e3 /attachment.cgi
parent: d382992164347e076c51d3116a32aeabb2beecd5 (diff)
download: bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.gz
bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/attachment.cgi b/attachment.cgi
index f1753261d..16615abae 100755
--- a/attachment.cgi
+++ b/attachment.cgi
@@ -332,8 +332,10 @@ sub view {
     $filename =~ s/\\/\\\\/g; # escape backslashes
     $filename =~ s/"/\\"/g; # escape quotes
 
+    my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment';
+
     print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
-                       -content_disposition=> "inline; filename=\"$filename\"",
+                       -content_disposition=> "$disposition; filename=\"$filename\"",
                        -content_length => $attachment->datasize);
     disable_utf8();
     print $attachment->data;
author	lpsolit%gmail.com <>	2009-02-02 20:10:32 +0100
committer	lpsolit%gmail.com <>	2009-02-02 20:10:32 +0100
commit	9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 (patch)
tree	4b499585721720596570442514b89eb8c41ed7e3 /attachment.cgi
parent	d382992164347e076c51d3116a32aeabb2beecd5 (diff)
download	bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.gz bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.xz