diff options
author | lpsolit%gmail.com <> | 2009-02-02 20:10:32 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 20:10:32 +0100 |
commit | 9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 (patch) | |
tree | 4b499585721720596570442514b89eb8c41ed7e3 /template/en/default/attachment | |
parent | d382992164347e076c51d3116a32aeabb2beecd5 (diff) | |
download | bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.gz bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.xz |
Bug 472206: [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=justdave a=LpSolit
Diffstat (limited to 'template/en/default/attachment')
-rw-r--r-- | template/en/default/attachment/edit.html.tmpl | 11 | ||||
-rw-r--r-- | template/en/default/attachment/list.html.tmpl | 6 |
2 files changed, 15 insertions, 2 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index 48137e76a..10c615323 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -270,6 +270,17 @@ [% END %] </a> </td> + [% ELSIF !Param("allow_attachment_display") %] + <td id="view_disabled" width="50%"> + <p><b> + The attachment is not viewable in your browser due to security + restrictions enabled by [% terms.Bugzilla %]. + </b></p> + <p><b> + In order to view the attachment, you first have to + <a href="attachment.cgi?id=[% attachment.id %]">download it</a>. + </b></p> + </td> [% ELSIF attachment.is_viewable %] <td width="75%"> [% INCLUDE global/textarea.html.tmpl diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index c93ea5808..08c575dbf 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -131,9 +131,11 @@ [% IF attachments.size %] <span class="bz_attach_view_hide"> [% IF obsolete_attachments %] - <a href="#a0" onClick="return toggle_display(this);">Hide Obsolete</a> ([% obsolete_attachments %]) | + <a href="#a0" onClick="return toggle_display(this);">Hide Obsolete</a> ([% obsolete_attachments %]) + [% END %] + [% IF Param("allow_attachment_display") %] + <a href="attachment.cgi?bugid=[% bugid %]&action=viewall">View All</a> [% END %] - <a href="attachment.cgi?bugid=[% bugid %]&action=viewall">View All</a> </span> [% END %] <a href="attachment.cgi?bugid=[% bugid %]&action=enter">Add an attachment</a> |