summaryrefslogtreecommitdiffstats
path: root/template/en/default/attachment
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2009-02-02 20:10:32 +0100
committerlpsolit%gmail.com <>2009-02-02 20:10:32 +0100
commit9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 (patch)
tree4b499585721720596570442514b89eb8c41ed7e3 /template/en/default/attachment
parentd382992164347e076c51d3116a32aeabb2beecd5 (diff)
downloadbugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.gz
bugzilla-9c49307f5c2f5a67ab5b3b1270cc83b30efa8637.tar.xz
Bug 472206: [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments - Patch by Frédéric Buclin <LpSolit@gmail.com> r=mkanat r=justdave a=LpSolit
Diffstat (limited to 'template/en/default/attachment')
-rw-r--r--template/en/default/attachment/edit.html.tmpl11
-rw-r--r--template/en/default/attachment/list.html.tmpl6
2 files changed, 15 insertions, 2 deletions
diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl
index 48137e76a..10c615323 100644
--- a/template/en/default/attachment/edit.html.tmpl
+++ b/template/en/default/attachment/edit.html.tmpl
@@ -270,6 +270,17 @@
[% END %]
</a>
</td>
+ [% ELSIF !Param("allow_attachment_display") %]
+ <td id="view_disabled" width="50%">
+ <p><b>
+ The attachment is not viewable in your browser due to security
+ restrictions enabled by [% terms.Bugzilla %].
+ </b></p>
+ <p><b>
+ In order to view the attachment, you first have to
+ <a href="attachment.cgi?id=[% attachment.id %]">download it</a>.
+ </b></p>
+ </td>
[% ELSIF attachment.is_viewable %]
<td width="75%">
[% INCLUDE global/textarea.html.tmpl
diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl
index c93ea5808..08c575dbf 100644
--- a/template/en/default/attachment/list.html.tmpl
+++ b/template/en/default/attachment/list.html.tmpl
@@ -131,9 +131,11 @@
[% IF attachments.size %]
<span class="bz_attach_view_hide">
[% IF obsolete_attachments %]
- <a href="#a0" onClick="return toggle_display(this);">Hide Obsolete</a> ([% obsolete_attachments %]) |
+ <a href="#a0" onClick="return toggle_display(this);">Hide Obsolete</a> ([% obsolete_attachments %])
+ [% END %]
+ [% IF Param("allow_attachment_display") %]
+ <a href="attachment.cgi?bugid=[% bugid %]&amp;action=viewall">View All</a>
[% END %]
- <a href="attachment.cgi?bugid=[% bugid %]&amp;action=viewall">View All</a>
</span>
[% END %]
<a href="attachment.cgi?bugid=[% bugid %]&amp;action=enter">Add an attachment</a>