mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-25 16:22:43 +01:00
Enforce viewable MIME types config on PDF documents
Summary:
Let instance admins decide whether to allow PDFs to be viewable as a Web page. See <5ec132bf9e
>.
MOZILLA: Instead of always allowing PDFs to be viewable in the web UI, [...]
This checks that the PDF mimetype is viewable according to the system
configuration.
Ref Q83.
Test Plan:
1. Set `files.viewable-mime-types` to exclude application/pdf.
2. Upload a pdf file.
3. See "No document engine can render the contents of this file." in web UI.
Reviewers: O1 Blessed Committers, speck
Reviewed By: O1 Blessed Committers, speck
Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno
Differential Revision: https://we.phorge.it/D25464
This commit is contained in:
parent
5d80b3fd88
commit
16d9cc12af
2 changed files with 14 additions and 10 deletions
|
@ -134,9 +134,11 @@ final class PhabricatorFilesConfigOptions
|
||||||
->setDescription(
|
->setDescription(
|
||||||
pht(
|
pht(
|
||||||
"Configure which uploaded file types may be viewed directly ".
|
"Configure which uploaded file types may be viewed directly ".
|
||||||
"in the browser. Other file types will be downloaded instead ".
|
"in the browser. Other types will be downloaded instead of ".
|
||||||
"of displayed. This is mainly a usability consideration, since ".
|
"displayed. This is a usability and security consideration, ".
|
||||||
"browsers tend to freak out when viewing very large binary files.".
|
"since browsers tend to freak out when viewing very large ".
|
||||||
|
"binary files, and some types may be vulnerable to XSS attacks ".
|
||||||
|
"when viewed in a browser.".
|
||||||
"\n\n".
|
"\n\n".
|
||||||
"The keys in this map are viewable MIME types; the values are ".
|
"The keys in this map are viewable MIME types; the values are ".
|
||||||
"the MIME types they are delivered as when they are viewed in ".
|
"the MIME types they are delivered as when they are viewed in ".
|
||||||
|
|
|
@ -14,14 +14,16 @@ final class PhabricatorPDFDocumentEngine
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function canRenderDocumentType(PhabricatorDocumentRef $ref) {
|
protected function canRenderDocumentType(PhabricatorDocumentRef $ref) {
|
||||||
// Since we just render a link to the document anyway, we don't need to
|
$viewable_types = PhabricatorEnv::getEnvConfig('files.viewable-mime-types');
|
||||||
// check anything fancy in config to see if the MIME type is actually
|
$viewable_types = array_keys($viewable_types);
|
||||||
// viewable.
|
|
||||||
|
|
||||||
return $ref->hasAnyMimeType(
|
$pdf_types = array(
|
||||||
array(
|
|
||||||
'application/pdf',
|
'application/pdf',
|
||||||
));
|
);
|
||||||
|
|
||||||
|
return
|
||||||
|
$ref->hasAnyMimeType($viewable_types) &&
|
||||||
|
$ref->hasAnyMimeType($pdf_types);
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function newDocumentContent(PhabricatorDocumentRef $ref) {
|
protected function newDocumentContent(PhabricatorDocumentRef $ref) {
|
||||||
|
|
Loading…
Reference in a new issue