From f7e9b570aedad8287f993a7d474074e497c90856 Mon Sep 17 00:00:00 2001 From: Thorsten Eckel Date: Tue, 31 Jan 2017 17:55:12 +0100 Subject: [PATCH] Fixed issue #617 - Prevent attachment preview in browser attachment download. --- .../app/views/ticket_zoom/article_view.jst.eco | 2 +- app/controllers/ticket_articles_controller.rb | 13 ++++++++++++- 2 files changed, 13 insertions(+), 2 deletions(-) diff --git a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco index 0dbd6e594..1ed4685a5 100644 --- a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco +++ b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco @@ -51,7 +51,7 @@
<%- @article.attachments.length %> <%- @T('Attached Files') %>
<% for attachment in @article.attachments: %>
- <%= attachment.filename %> + <%= attachment.filename %>
<%- @humanFileSize(attachment.size) %>
<% end %> diff --git a/app/controllers/ticket_articles_controller.rb b/app/controllers/ticket_articles_controller.rb index 3baf53f0c..20423edc1 100644 --- a/app/controllers/ticket_articles_controller.rb +++ b/app/controllers/ticket_articles_controller.rb @@ -239,11 +239,14 @@ class TicketArticlesController < ApplicationController # find file file = Store.find(params[:id]) + + disposition = sanitized_disposition + send_data( file.content, filename: file.filename, type: file.preferences['Content-Type'] || file.preferences['Mime-Type'], - disposition: 'inline' + disposition: disposition ) end @@ -267,4 +270,12 @@ class TicketArticlesController < ApplicationController ) end + private + + def sanitized_disposition + disposition = params.fetch(:disposition, 'inline') + valid_disposition = %w(inline attachment) + return disposition if valid_disposition.include?(disposition) + raise Exceptions::NotAuthorized, "Invalid disposition #{disposition} requested. Only #{valid_disposition.join(', ')} are valid." + end end