The root of the problem is that IE is "not standards compliant" (to say it nicely). Even if a URL ends with .pdf and is sent with the MIME type for a PDF, IE will still (at least in 6, meaning that it doesn't matter if this is fixed in later versions) run content detection on the data and if it looks like HTML it will display it in the browser. This then leads to the JavaScript security fun I mentioned. The only way to force IE to never show something in the browser no matter the type is to set the content-disposition header and force all browsers to download the file. So the nasty case is that someone uploads a "PDF" to your server that it actually a HTML page with JavaScript in it that will do an HTTP request against the server to do something destructive. That malicious code will run with _your_ permissions, so if you happen to be the site admin they could do something like grant admin access to themselves or delete all the accounts, etc etc. Hope this clarifies the issue.
--Noah On May 24, 2009, at 8:52 PM, Ariel Balter wrote: > What if we put "target=new", so it opened the file in a new window. > Then we wouldn't need Trac chrome around it. I realize I'm one of > the people using trac for something other than what it was intended > (managing and academic research project), but I wonder if others > would also like to have their PDF files "preview" if that's what you > call it. (I just call it FF displaying the PDF using the adobe > reader plugin.) > > Noah Kantrowitz wrote: >> >> Opening the raw file is different from providing a preview. The hard >> part is to embed the PDF in the page while providing the Trac chrome >> around it. I think you are just asking why we set content- >> disposition, >> which I answered in that it is a security risk not to. >> >> --Noah >> >> On May 24, 2009, at 8:02 PM, Ariel Balter wrote: >> >> >>> I'm confused here because I work in an academic setting and my >>> professional life revolves around viewing PDF journal articles on >>> the web all day long form journals, publishers, etc. I just can't >>> mesh this with your suggestion that it is some kind of security risk >>> or hard-to-solve problem. >>> >>> The wikipedia page on PDF files >>> http://en.wikipedia.org/wiki/Pdf >>> has many references and external links which are PDF files and DO >>> open in the browser rather than downloading. >>> >>> So then I went to wikimedia commons, did a search for "pdf", and >>> clicked on the first result, which is: >>> http://upload.wikimedia.org/wikipedia/commons/9/9d/AAV_Reisebericht_1661_Aachen_Savelsberg.pdf >>> and which opens in my browser. >>> >>> Can someone please shed some light on why major journal publishers >>> can do this and Wikipedia can do this, but Trac can't? >>> >>> Noah Kantrowitz wrote: >>> >>>> You don't. We force downloading the raw views for security reasons. >>>> Specifically with HTML you can have problems where the JavaScript >>>> in >>>> the page within the security context of the Trac URL. There is no >>>> good >>>> cross-platform way to embed a PDF, as I already said. The way to do >>>> PDF previews would probably be to render to an image or flash >>>> file a >>>> la slideshare or google docs. >>>> >>>> --Noah >>>> >>>> On May 24, 2009, at 7:38 PM, Ariel Balter wrote: >>>> >>>> >>>> >>>>> Here is a link to a PDF file: >>>>> http://myotherstuff.org/share/browser_test.pdf >>>>> When I paste that in my browser (latest FF), the PDF file opens in >>>>> my browser. >>>>> >>>>> Also, here is a link to an HTML file with a link to the above URL. >>>>> http://myotherstuff.org/share/browser_test.html >>>>> When I click on the link, FF opens the page in my browser. >>>>> >>>>> How can I get Trac to do that with PDF files? >>>>> >>>>> Thanks, Ariel >>>>> >>>>> P.S. Just tested in IE with same behavior. >>>>> >>>>> Noah Kantrowitz wrote: >>>>> >>>>> >>>>>> No, there is no cross-browser way to offer such a thing without >>>>>> rendering the PDFs to an image or something (which brings up its >>>>>> own >>>>>> portability issues). >>>>>> >>>>>> --Noah >>>>>> >>>>>> On May 24, 2009, at 12:10 PM, abalter wrote: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> When you view an attached PDF file you get the "HTML preview not >>>>>>> available" message, and the suggestion to "Try downloading the >>>>>>> file >>>>>>> instead.". >>>>>>> >>>>>>> Is there a way to make it so that pdf's try to open in the >>>>>>> browser >>>>>>> window as they do when they are simply web files? >>>>>>> >>>>>>> >>>>>>> >>>>>> >>>>> -- >>>>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ >>>>> >>>>> Ariel I Balter, Ph.D. >>>>> Postdoc >>>>> Biological Monitoring/Modeling >>>>> Fundamental and Computational Sciences Directorate >>>>> >>>>> Pacific Northwest National Laboratory >>>>> Mail: >>>>> PO Box 999, MS P7-58,Richland, WA 99352 >>>>> Shipping: >>>>> 790 6th Street, MS P7-58, Richland, WA 99354 >>>>> >>>>> Tel: 509-376-7605 >>>>> Cell: 509-713-0087 >>>>> [email protected] >>>>> www.arielbalter.com >>>>> www.pnl.gov >>>>> >>>>> >>>>> <ariel.vcf> >>>>> >>>>> >>>> >>>> >>> -- >>> /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ >>> >>> Ariel I Balter, Ph.D. >>> Postdoc >>> Biological Monitoring/Modeling >>> Fundamental and Computational Sciences Directorate >>> >>> Pacific Northwest National Laboratory >>> Mail: >>> PO Box 999, MS P7-58,Richland, WA 99352 >>> Shipping: >>> 790 6th Street, MS P7-58, Richland, WA 99354 >>> >>> Tel: 509-376-7605 >>> Cell: 509-713-0087 >>> [email protected] >>> www.arielbalter.com >>> www.pnl.gov >>> >>> >>> <ariel.vcf> >>> >> >> >> > > -- > /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ > > Ariel I Balter, Ph.D. > Postdoc > Biological Monitoring/Modeling > Fundamental and Computational Sciences Directorate > > Pacific Northwest National Laboratory > Mail: > PO Box 999, MS P7-58,Richland, WA 99352 > Shipping: > 790 6th Street, MS P7-58, Richland, WA 99354 > > Tel: 509-376-7605 > Cell: 509-713-0087 > [email protected] > www.arielbalter.com > www.pnl.gov > > > > <ariel.vcf> --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
