1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-25 16:22:43 +01:00

Enforce viewable MIME types config on PDF documents

Summary:
Let instance admins decide whether to allow PDFs to be viewable as a Web page. See <5ec132bf9e>.

    MOZILLA: Instead of always allowing PDFs to be viewable in the web UI, [...]
    This checks that the PDF mimetype is viewable according to the system
    configuration.

Ref Q83.

Test Plan:
1. Set `files.viewable-mime-types` to exclude application/pdf.
2. Upload a pdf file.
3. See "No document engine can render the contents of this file." in web UI.

Reviewers: O1 Blessed Committers, speck

Reviewed By: O1 Blessed Committers, speck

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Differential Revision: https://we.phorge.it/D25464
This commit is contained in:
Zero King 2023-11-11 15:45:21 +08:00
parent 5d80b3fd88
commit 16d9cc12af
2 changed files with 14 additions and 10 deletions

View file

@ -134,9 +134,11 @@ final class PhabricatorFilesConfigOptions
->setDescription( ->setDescription(
pht( pht(
"Configure which uploaded file types may be viewed directly ". "Configure which uploaded file types may be viewed directly ".
"in the browser. Other file types will be downloaded instead ". "in the browser. Other types will be downloaded instead of ".
"of displayed. This is mainly a usability consideration, since ". "displayed. This is a usability and security consideration, ".
"browsers tend to freak out when viewing very large binary files.". "since browsers tend to freak out when viewing very large ".
"binary files, and some types may be vulnerable to XSS attacks ".
"when viewed in a browser.".
"\n\n". "\n\n".
"The keys in this map are viewable MIME types; the values are ". "The keys in this map are viewable MIME types; the values are ".
"the MIME types they are delivered as when they are viewed in ". "the MIME types they are delivered as when they are viewed in ".

View file

@ -14,14 +14,16 @@ final class PhabricatorPDFDocumentEngine
} }
protected function canRenderDocumentType(PhabricatorDocumentRef $ref) { protected function canRenderDocumentType(PhabricatorDocumentRef $ref) {
// Since we just render a link to the document anyway, we don't need to $viewable_types = PhabricatorEnv::getEnvConfig('files.viewable-mime-types');
// check anything fancy in config to see if the MIME type is actually $viewable_types = array_keys($viewable_types);
// viewable.
return $ref->hasAnyMimeType( $pdf_types = array(
array(
'application/pdf', 'application/pdf',
)); );
return
$ref->hasAnyMimeType($viewable_types) &&
$ref->hasAnyMimeType($pdf_types);
} }
protected function newDocumentContent(PhabricatorDocumentRef $ref) { protected function newDocumentContent(PhabricatorDocumentRef $ref) {