diff options
author | lpsolit%gmail.com <> | 2009-02-02 20:10:32 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 20:10:32 +0100 |
commit | 9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 (patch) | |
tree | 4b499585721720596570442514b89eb8c41ed7e3 /attachment.cgi | |
parent | d382992164347e076c51d3116a32aeabb2beecd5 (diff) | |
download | bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.gz bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.xz |
Bug 472206: [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=justdave a=LpSolit
Diffstat (limited to 'attachment.cgi')
-rwxr-xr-x | attachment.cgi | 4 |
1 files changed, 3 insertions, 1 deletions
diff --git a/attachment.cgi b/attachment.cgi index f1753261d..16615abae 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -332,8 +332,10 @@ sub view { $filename =~ s/\\/\\\\/g; # escape backslashes $filename =~ s/"/\\"/g; # escape quotes + my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment'; + print $cgi->header(-type=>"$contenttype; name=\"$filename\"", - -content_disposition=> "inline; filename=\"$filename\"", + -content_disposition=> "$disposition; filename=\"$filename\"", -content_length => $attachment->datasize); disable_utf8(); print $attachment->data; |