Thanks for clearing that up. I now better understand the security issues (also from Noah's input).
This helps me decide whether it might be reasonable for our closed Trac site to turn off the "render unsafe content" switch. For the future, I wonder if there are ways to set rendering for some mimes and not others? Perhaps it would be reasonable to allow rendering of properly configured PDF files and no other? Or perhaps there could be a moderating step and then allow an individual file? For closed projects with a reasonable number of users, there could be really useful options. Thanks, Ariel Christian Boos wrote: > Hello, > > abalter wrote: > >> When you view an attached PDF file you get the "HTML preview not >> available" message, and the suggestion to "Try downloading the file >> instead.". >> >> Is there a way to make it so that pdf's try to open in the browser >> window as they do when they are simply web files? >> >> > > By default, when downloading an attachment, we sent it with a > Content-Disposition set to "attachment", which effectively prevents the > file from being opened directly by the browser. > This is because there are some browsers which will attempt to render as > HTML any /content/ that looks like HTML, completely ignoring the > mime-type or the file extension. Therefore someone could craft a > malicious HTML page, name it something.pdf and upload it to your site. > If you have set the proper permissions and know that you can trust > people who have those permissions (to attach files, to commit files to > your repository), then there are ways to configure Trac so that it won't > set this Content-Disposition header. > See http://trac.edgewall.org/wiki/ChangeLog#a0.10.3.1 and look for > render_unsafe_content in TracIni. > > Also, if you want to by-pass the "preview" page when clicking on an > attachment link, it is possible to create links using the > raw-attachment: TracLinks prefix in your wiki text. Or use a recent Trac > (0.11.5dev), where you'll get "download" icons next to any attachment link. > > -- Christian > > > > -- /\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\/\ Ariel I Balter, Ph.D. Postdoc Biological Monitoring/Modeling Fundamental and Computational Sciences Directorate Pacific Northwest National Laboratory Mail: PO Box 999, MS P7-58,Richland, WA 99352 Shipping: 790 6th Street, MS P7-58, Richland, WA 99354 Tel: 509-376-7605 Cell: 509-713-0087 [email protected] www.arielbalter.com www.pnl.gov --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Trac Users" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/trac-users?hl=en -~----------~----~----~----~------~----~------~--~---
begin:vcard fn:Ariel Balter, PhD n:Balter;Ariel email;internet:[email protected] tel;home:812-332-2721 tel;cell:812-219-4558 x-mozilla-html:TRUE url:http://arielbalter.com version:2.1 end:vcard
