sub get_param_list {
my $class = shift;
my @param_list = (
+ {
+ name => 'allow_attachment_display',
+ type => 'b',
+ default => 0
+ },
+
{
name => 'allow_attach_url',
type => 'b',
$filename =~ s/\\/\\\\/g; # escape backslashes
$filename =~ s/"/\\"/g; # escape quotes
+ my $disposition = Param('allow_attachment_display') ? 'inline' : 'attachment';
+
print $cgi->header(-type=>"$contenttype; name=\"$filename\"",
- -content_disposition=> "inline; filename=\"$filename\"",
+ -content_disposition=> "$disposition; filename=\"$filename\"",
-content_length => $filesize);
if ($thedata) {
%]
[% param_descs = {
+ allow_attachment_display =>
+ "If this option is on, users will be able to view attachments " _
+ "from their browser, if their browser supports the attachment's " _
+ "MIME type. If this option is off, users are forced to download " _
+ "attachments, even if the browser is able to display them." _
+ "<p>This is a security restriction for installations where " _
+ "untrusted users may upload attachments that could be potentially " _
+ "damaging if viewed directly in the browser.</p>",
+
allow_attach_url => "If this option is on, it will be possible to " _
"specify a URL when creating an attachment and " _
"treat the URL itself as if it were an attachment.",
</small>
</td>
- [% IF isviewable %]
+ [% IF attachment.isurl %]
+ <td width="75%">
+ <a href="[% attachment.data FILTER html %]">
+ [% IF attachment.datasize < 120 %]
+ [% attachment.data FILTER html %]
+ [% ELSE %]
+ [% attachment.data FILTER truncate(80) FILTER html %]
+ ...
+ [% attachment.data.match(".*(.{20})$").0 FILTER html %]
+ [% END %]
+ </a>
+ </td>
+ [% ELSIF !Param("allow_attachment_display") %]
+ <td id="view_disabled" width="50%">
+ <p><b>
+ The attachment is not viewable in your browser due to security
+ restrictions enabled by [% terms.Bugzilla %].
+ </b></p>
+ <p><b>
+ In order to view the attachment, you first have to
+ <a href="attachment.cgi?id=[% attachment.id %]">download it</a>.
+ </b></p>
+ </td>
+ [% ELSIF isviewable %]
<td width="75%">
<textarea id="editFrame" name="comment" wrap="soft" cols="80"
style="height: 400px; width: 100%; display: none;"></textarea>
//-->
</script>
</td>
- [% ELSIF attachment.isurl %]
- <td width="75%">
- <a href="[% attachment.data FILTER html %]">
- [% IF attachment.datasize < 120 %]
- [% attachment.data FILTER html %]
- [% ELSE %]
- [% attachment.data FILTER truncate(80) FILTER html %]
- ...
- [% attachment.data.match(".*(.{20})$").0 FILTER html %]
- [% END %]
- </a>
- </td>
[% ELSE %]
<td id="noview" width="50%">
<p><b>
<td colspan="[% show_attachment_flags ? 6 : 5 %]">
<a href="attachment.cgi?bugid=[% bugid %]&action=enter">Create a New Attachment</a> (proposed patch, testcase, etc.)
</td>
- [% IF attachments.size %]
+ [% IF attachments.size && Param("allow_attachment_display") %]
<td>
<a href="attachment.cgi?bugid=[% bugid %]&action=viewall">View All</a>
</td>
projects / thirdparty / bugzilla.git / commitdiff
