Description of problem: Once upon a time, I could click on a PNG image bugzilla attachment and my browser would display the image. Now redhat bugzilla does something nasty in the generated headers that makes the browser think it absolutely has to start an external viewer program to view the image. Maybe this is deliberate, but I find it incredibly annoying to need multiple different apps to examine a single bugzilla report. Just as one example, chout out the bug at: https://bugzilla.redhat.com/show_bug.cgi?id=506552 Click on the very 1st attachment (the "screen short" :-), and instead of opening the screen shot in the browser, it pops up a dialog to ask what to do with it, and none of the available options are "just open in the browser dammit" :-). Version-Release number of selected component (if applicable): Whatever is currently running at bugzilla.redhat.com (3.2.something). How reproducible: Every time in both firefox 3.5 beta on fedora 11 and internet explorer on Windows XP (the two browsers I have tried). Steps to Reproduce: 1.see above 2. 3. Actual results: browser insists on using external viewer Expected results: just open the image in the browser Additional info: I have visited other sites using other versions of bugzilla and clicked on image attachments and they have opened just fine in the browser, so this appears to be only in bugzilla.redhat.com.
*** Bug 508390 has been marked as a duplicate of this bug. ***
We disabled viewing inline of any attachments other than test/plain for security reasons that were brought to attention in a few upstream Bugzilla bug reports. [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments https://bugzilla.mozilla.org/show_bug.cgi?id=472206 [SECURITY] attachments should be at a different hostname https://bugzilla.mozilla.org/show_bug.cgi?id=38862 Due to our configuration in our data centers, we are not able to use hostname manipulation similar to how bugzilla.mozilla.org solved this issue. All attachments other than text/plan (ie. patches, logs) will need to be downloaded and viewed locally. Dave
This is really annoying. Why can't you let image/* be displayed inline? Can you really do harmful things with images?