508282 – annoying browser behavior when accessing PNG image attachments

Bug 508282 - annoying browser behavior when accessing PNG image attachments

Summary: annoying browser behavior when accessing PNG image attachments

Keywords:
Status:	CLOSED CANTFIX
Alias:	None
Product:	Bugzilla
Classification:	Community
Component:	Attachments/Requests
Sub Component:
Version:	3.2
Hardware:	All
OS:	Linux
Priority:	low
Severity:	medium
Target Milestone:	---
Assignee:	PnT DevOps Devs
QA Contact:
Docs Contact:
URL:
Whiteboard:
Duplicates (1):	508390 (view as bug list)
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2009-06-26 12:06 UTC by Tom Horsley
Modified:	2019-03-28 09:18 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2009-06-28 04:40:49 UTC
Embargoed:

Attachments	(Terms of Use)

Description Tom Horsley 2009-06-26 12:06:46 UTC

Description of problem:

Once upon a time, I could click on a PNG image bugzilla attachment and
my browser would display the image. Now redhat bugzilla does something
nasty in the generated headers that makes the browser think it absolutely
has to start an external viewer program to view the image. Maybe this
is deliberate, but I find it incredibly annoying to need multiple different
apps to examine a single bugzilla report.

Just as one example, chout out the bug at:

https://bugzilla.redhat.com/show_bug.cgi?id=506552

Click on the very 1st attachment (the "screen short" :-), and instead of
opening the screen shot in the browser, it pops up a dialog to ask what
to do with it, and none of the available options are "just open in the
browser dammit" :-).

Version-Release number of selected component (if applicable):
Whatever is currently running at bugzilla.redhat.com (3.2.something).

How reproducible:
Every time in both firefox 3.5 beta on fedora 11 and internet explorer
on Windows XP (the two browsers I have tried).

Steps to Reproduce:
1.see above
2.
3.
  
Actual results:
browser insists on using external viewer

Expected results:
just open the image in the browser

Additional info:
I have visited other sites using other versions of bugzilla and clicked
on image attachments and they have opened just fine in the browser, so
this appears to be only in bugzilla.redhat.com.

Comment 1 David Lawrence 2009-06-28 03:58:20 UTC

*** Bug 508390 has been marked as a duplicate of this bug. ***

Comment 2 David Lawrence 2009-06-28 04:40:33 UTC

We disabled viewing inline of any attachments other than test/plain for security reasons that were brought to attention in a few upstream Bugzilla bug reports.

[SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments
https://bugzilla.mozilla.org/show_bug.cgi?id=472206

[SECURITY] attachments should be at a different hostname
https://bugzilla.mozilla.org/show_bug.cgi?id=38862

Due to our configuration in our data centers, we are not able to use hostname manipulation similar to how bugzilla.mozilla.org solved this issue.

All attachments other than text/plan (ie. patches, logs) will need to be downloaded and viewed locally.

Dave

Comment 3 Frédéric Buclin 2011-02-20 10:22:08 UTC

This is really annoying. Why can't you let image/* be displayed inline? Can you really do harmful things with images?

Note You need to log in before you can comment on or make changes to this bug.