jro_apps/redmine Commit - r15903:34c5b51cf095

Always send images user-uploaded images with Content-Disposition: attachment (#24199)....

Jean-Philippe Lang -

r15903:34c5b51cf095

parent child

Context file:

r15903:34c5b51cf095

Collapse all files

app/controllers/attachments_controller.rb +1 -1

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             class AttachmentsController < ApplicationController
               before_action :find_attachment, :only => [:show, :download, :thumbnail, :update, :destroy]
               before_action :find_editable_attachments, :only => [:edit_all, :update_all]
               before_action :file_readable, :read_authorize, :only => [:show, :download, :thumbnail]
               before_action :update_authorize, :only => :update
               before_action :delete_authorize, :only => :destroy
               before_action :authorize_global, :only => :upload
               # Disable check for same origin requests for JS files, i.e. attachments with
               # MIME type text/javascript.
               skip_after_filter :verify_same_origin_request, :only => :download
               accept_api_auth :show, :download, :thumbnail, :upload, :update, :destroy
               def show
                 respond_to do |format|
                   format.html {
                     if @attachment.is_diff?
                       @diff = File.read(@attachment.diskfile, :mode => "rb")
                       @diff_type = params[:type] || User.current.pref[:diff_type] || 'inline'
                       @diff_type = 'inline' unless %w(inline sbs).include?(@diff_type)
                       # Save diff type as user preference
                       if User.current.logged? && @diff_type != User.current.pref[:diff_type]
                         User.current.pref[:diff_type] = @diff_type
                         User.current.preference.save
                       end
                       render :action => 'diff'
                     elsif @attachment.is_text? && @attachment.filesize <= Setting.file_max_size_displayed.to_i.kilobyte
                       @content = File.read(@attachment.diskfile, :mode => "rb")
                       render :action => 'file'
                     elsif @attachment.is_image?
                       render :action => 'image'
                     else
                       render :action => 'other'
                     end
                   }
                   format.api
                 end
               end
               def download
                 if @attachment.container.is_a?(Version) || @attachment.container.is_a?(Project)
                   @attachment.increment_download
                 end
                 if stale?(:etag => @attachment.digest)
                   # images are sent inline
                   send_file @attachment.diskfile, :filename => filename_for_content_disposition(@attachment.filename),
                                                   :type => detect_content_type(@attachment),
                                                   :disposition => disposition(@attachment)
                 end
               end
               def thumbnail
                 if @attachment.thumbnailable? && tbnail = @attachment.thumbnail(:size => params[:size])
                   if stale?(:etag => tbnail)
                     send_file tbnail,
                       :filename => filename_for_content_disposition(@attachment.filename),
                       :type => detect_content_type(@attachment),
                       :disposition => 'inline'
                   end
                 else
                   # No thumbnail for the attachment or thumbnail could not be created
                   head 404
                 end
               end
               def upload
                 # Make sure that API users get used to set this content type
                 # as it won't trigger Rails' automatic parsing of the request body for parameters
                 unless request.content_type == 'application/octet-stream'
                   head 406
                   return
                 end
                 @attachment = Attachment.new(:file => request.raw_post)
                 @attachment.author = User.current
                 @attachment.filename = params[:filename].presence || Redmine::Utils.random_hex(16)
                 @attachment.content_type = params[:content_type].presence
                 saved = @attachment.save
                 respond_to do |format|
                   format.js
                   format.api {
                     if saved
                       render :action => 'upload', :status => :created
                     else
                       render_validation_errors(@attachment)
                     end
                   }
                 end
               end
               # Edit all the attachments of a container
               def edit_all
               end
               # Update all the attachments of a container
               def update_all
                 if params[:attachments].is_a?(Hash)
                   if Attachment.update_attachments(@attachments, params[:attachments])
                     redirect_back_or_default home_path
                     return
                   end
                 end
                 render :action => 'edit_all'
               end
               def update
                 @attachment.safe_attributes = params[:attachment]
                 saved = @attachment.save
                 respond_to do |format|
                   format.api {
                     if saved
                       render_api_ok
                     else
                       render_validation_errors(@attachment)
                     end
                   }
                 end
               end
               def destroy
                 if @attachment.container.respond_to?(:init_journal)
                   @attachment.container.init_journal(User.current)
                 end
                 if @attachment.container
                   # Make sure association callbacks are called
                   @attachment.container.attachments.delete(@attachment)
                 else
                   @attachment.destroy
                 end
                 respond_to do |format|
                   format.html { redirect_to_referer_or project_path(@project) }
                   format.js
                   format.api { render_api_ok }
                 end
               end
               private
               def find_attachment
                 @attachment = Attachment.find(params[:id])
                 # Show 404 if the filename in the url is wrong
                 raise ActiveRecord::RecordNotFound if params[:filename] && params[:filename] != @attachment.filename
                 @project = @attachment.project
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               def find_editable_attachments
                 klass = params[:object_type].to_s.singularize.classify.constantize rescue nil
                 unless klass && klass.reflect_on_association(:attachments)
                   render_404
                   return
                 end
                 @container = klass.find(params[:object_id])
                 if @container.respond_to?(:visible?) && !@container.visible?
                   render_403
                   return
                 end
                 @attachments = @container.attachments.select(&:editable?)
                 if @container.respond_to?(:project)
                   @project = @container.project
                 end
                 render_404 if @attachments.empty?
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               # Checks that the file exists and is readable
               def file_readable
                 if @attachment.readable?
                   true
                 else
                   logger.error "Cannot send attachment, #{@attachment.diskfile} does not exist or is unreadable."
                   render_404
                 end
               end
               def read_authorize
                 @attachment.visible? ? true : deny_access
               end
               def update_authorize
                 @attachment.editable? ? true : deny_access
               end
               def delete_authorize
                 @attachment.deletable? ? true : deny_access
               end
               def detect_content_type(attachment)
                 content_type = attachment.content_type
                 if content_type.blank? || content_type == "application/octet-stream"
                   content_type = Redmine::MimeType.of(attachment.filename)
                 end
                 content_type.to_s
               end
               def disposition(attachment)
-                if attachment.is_image? || attachment.is_pdf?
+                if attachment.is_pdf?
                   'inline'
                 else
                   'attachment'
                 end
               end
             end

app/controllers/repositories_controller.rb +1 -1

             # Redmine - project management software
             # Copyright (C) 2006-2016  Jean-Philippe Lang
             #
             # This program is free software; you can redistribute it and/or
             # modify it under the terms of the GNU General Public License
             # as published by the Free Software Foundation; either version 2
             # of the License, or (at your option) any later version.
             #
             # This program is distributed in the hope that it will be useful,
             # but WITHOUT ANY WARRANTY; without even the implied warranty of
             # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
             # GNU General Public License for more details.
             #
             # You should have received a copy of the GNU General Public License
             # along with this program; if not, write to the Free Software
             # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA  02110-1301, USA.
             require 'SVG/Graph/Bar'
             require 'SVG/Graph/BarHorizontal'
             require 'digest/sha1'
             require 'redmine/scm/adapters'
             class ChangesetNotFound < Exception; end
             class InvalidRevisionParam < Exception; end
             class RepositoriesController < ApplicationController
               menu_item :repository
               menu_item :settings, :only => [:new, :create, :edit, :update, :destroy, :committers]
               default_search_scope :changesets
               before_action :find_project_by_project_id, :only => [:new, :create]
               before_action :build_new_repository_from_params, :only => [:new, :create]
               before_action :find_repository, :only => [:edit, :update, :destroy, :committers]
               before_action :find_project_repository, :except => [:new, :create, :edit, :update, :destroy, :committers]
               before_action :find_changeset, :only => [:revision, :add_related_issue, :remove_related_issue]
               before_action :authorize
               accept_rss_auth :revisions
               rescue_from Redmine::Scm::Adapters::CommandFailed, :with => :show_error_command_failed
               def new
                 @repository.is_default = @project.repository.nil?
               end
               def create
                 if @repository.save
                   redirect_to settings_project_path(@project, :tab => 'repositories')
                 else
                   render :action => 'new'
                 end
               end
               def edit
               end
               def update
                 @repository.safe_attributes = params[:repository]
                 if @repository.save
                   redirect_to settings_project_path(@project, :tab => 'repositories')
                 else
                   render :action => 'edit'
                 end
               end
               def committers
                 @committers = @repository.committers
                 @users = @project.users.to_a
                 additional_user_ids = @committers.collect(&:last).collect(&:to_i) - @users.collect(&:id)
                 @users += User.where(:id => additional_user_ids).to_a unless additional_user_ids.empty?
                 @users.compact!
                 @users.sort!
                 if request.post? && params[:committers].is_a?(Hash)
                   # Build a hash with repository usernames as keys and corresponding user ids as values
                   @repository.committer_ids = params[:committers].values.inject({}) {|h, c| h[c.first] = c.last; h}
                   flash[:notice] = l(:notice_successful_update)
                   redirect_to settings_project_path(@project, :tab => 'repositories')
                 end
               end
               def destroy
                 @repository.destroy if request.delete?
                 redirect_to settings_project_path(@project, :tab => 'repositories')
               end
               def show
                 @repository.fetch_changesets if @project.active? && Setting.autofetch_changesets? && @path.empty?
                 @entries = @repository.entries(@path, @rev)
                 @changeset = @repository.find_changeset_by_name(@rev)
                 if request.xhr?
                   @entries ? render(:partial => 'dir_list_content') : head(200)
                 else
                   (show_error_not_found; return) unless @entries
                   @changesets = @repository.latest_changesets(@path, @rev)
                   @properties = @repository.properties(@path, @rev)
                   @repositories = @project.repositories
                   render :action => 'show'
                 end
               end
               alias_method :browse, :show
               def changes
                 @entry = @repository.entry(@path, @rev)
                 (show_error_not_found; return) unless @entry
                 @changesets = @repository.latest_changesets(@path, @rev, Setting.repository_log_display_limit.to_i)
                 @properties = @repository.properties(@path, @rev)
                 @changeset = @repository.find_changeset_by_name(@rev)
               end
               def revisions
                 @changeset_count = @repository.changesets.count
                 @changeset_pages = Paginator.new @changeset_count,
                                                  per_page_option,
                                                  params['page']
                 @changesets = @repository.changesets.
                   limit(@changeset_pages.per_page).
                   offset(@changeset_pages.offset).
                   includes(:user, :repository, :parents).
                   to_a
                 respond_to do |format|
                   format.html { render :layout => false if request.xhr? }
                   format.atom { render_feed(@changesets, :title => "#{@project.name}: #{l(:label_revision_plural)}") }
                 end
               end
               def raw
                 entry_and_raw(true)
               end
               def entry
                 entry_and_raw(false)
               end
               def entry_and_raw(is_raw)
                 @entry = @repository.entry(@path, @rev)
                 (show_error_not_found; return) unless @entry
                 # If the entry is a dir, show the browser
                 (show; return) if @entry.is_dir?
                 if is_raw
                   # Force the download
                   send_opt = { :filename => filename_for_content_disposition(@path.split('/').last) }
                   send_type = Redmine::MimeType.of(@path)
                   send_opt[:type] = send_type.to_s if send_type
                   send_opt[:disposition] = disposition(@path)
                   send_data @repository.cat(@path, @rev), send_opt
                 else
                   if !@entry.size || @entry.size <= Setting.file_max_size_displayed.to_i.kilobyte
                     content = @repository.cat(@path, @rev)
                     (show_error_not_found; return) unless content
                     if content.size <= Setting.file_max_size_displayed.to_i.kilobyte &&
                        is_entry_text_data?(content, @path)
                       # TODO: UTF-16
                       # Prevent empty lines when displaying a file with Windows style eol
                       # Is this needed? AttachmentsController simply reads file.
                       @content = content.gsub("\r\n", "\n")
                     end
                   end
                   @changeset = @repository.find_changeset_by_name(@rev)
                 end
               end
               private :entry_and_raw
               def is_entry_text_data?(ent, path)
                 # UTF-16 contains "\x00".
                 # It is very strict that file contains less than 30% of ascii symbols
                 # in non Western Europe.
                 return true if Redmine::MimeType.is_type?('text', path)
                 # Ruby 1.8.6 has a bug of integer divisions.
                 # http://apidock.com/ruby/v1_8_6_287/String/is_binary_data%3F
                 return false if ent.is_binary_data?
                 true
               end
               private :is_entry_text_data?
               def annotate
                 @entry = @repository.entry(@path, @rev)
                 (show_error_not_found; return) unless @entry
                 @annotate = @repository.scm.annotate(@path, @rev)
                 if @annotate.nil? || @annotate.empty?
                   @annotate = nil
                   @error_message = l(:error_scm_annotate)
                 else
                   ann_buf_size = 0
                   @annotate.lines.each do |buf|
                     ann_buf_size += buf.size
                   end
                   if ann_buf_size > Setting.file_max_size_displayed.to_i.kilobyte
                     @annotate = nil
                     @error_message = l(:error_scm_annotate_big_text_file)
                   end
                 end
                 @changeset = @repository.find_changeset_by_name(@rev)
               end
               def revision
                 respond_to do |format|
                   format.html
                   format.js {render :layout => false}
                 end
               end
               # Adds a related issue to a changeset
               # POST /projects/:project_id/repository/(:repository_id/)revisions/:rev/issues
               def add_related_issue
                 issue_id = params[:issue_id].to_s.sub(/^#/,'')
                 @issue = @changeset.find_referenced_issue_by_id(issue_id)
                 if @issue && (!@issue.visible? || @changeset.issues.include?(@issue))
                   @issue = nil
                 end
                 if @issue
                   @changeset.issues << @issue
                 end
               end
               # Removes a related issue from a changeset
               # DELETE /projects/:project_id/repository/(:repository_id/)revisions/:rev/issues/:issue_id
               def remove_related_issue
                 @issue = Issue.visible.find_by_id(params[:issue_id])
                 if @issue
                   @changeset.issues.delete(@issue)
                 end
               end
               def diff
                 if params[:format] == 'diff'
                   @diff = @repository.diff(@path, @rev, @rev_to)
                   (show_error_not_found; return) unless @diff
                   filename = "changeset_r#{@rev}"
                   filename << "_r#{@rev_to}" if @rev_to
                   send_data @diff.join, :filename => "#{filename}.diff",
                                         :type => 'text/x-patch',
                                         :disposition => 'attachment'
                 else
                   @diff_type = params[:type] || User.current.pref[:diff_type] || 'inline'
                   @diff_type = 'inline' unless %w(inline sbs).include?(@diff_type)
                   # Save diff type as user preference
                   if User.current.logged? && @diff_type != User.current.pref[:diff_type]
                     User.current.pref[:diff_type] = @diff_type
                     User.current.preference.save
                   end
                   @cache_key = "repositories/diff/#{@repository.id}/" +
                                   Digest::MD5.hexdigest("#{@path}-#{@rev}-#{@rev_to}-#{@diff_type}-#{current_language}")
                   unless read_fragment(@cache_key)
                     @diff = @repository.diff(@path, @rev, @rev_to)
                     show_error_not_found unless @diff
                   end
                   @changeset = @repository.find_changeset_by_name(@rev)
                   @changeset_to = @rev_to ? @repository.find_changeset_by_name(@rev_to) : nil
                   @diff_format_revisions = @repository.diff_format_revisions(@changeset, @changeset_to)
                 end
               end
               def stats
               end
               def graph
                 data = nil
                 case params[:graph]
                 when "commits_per_month"
                   data = graph_commits_per_month(@repository)
                 when "commits_per_author"
                   data = graph_commits_per_author(@repository)
                 end
                 if data
                   headers["Content-Type"] = "image/svg+xml"
                   send_data(data, :type => "image/svg+xml", :disposition => "inline")
                 else
                   render_404
                 end
               end
               private
               def build_new_repository_from_params
                 scm = params[:repository_scm] || (Redmine::Scm::Base.all & Setting.enabled_scm).first
                 unless @repository = Repository.factory(scm)
                   render_404
                   return
                 end
                 @repository.project = @project
                 @repository.safe_attributes = params[:repository]
                 @repository
               end
               def find_repository
                 @repository = Repository.find(params[:id])
                 @project = @repository.project
               rescue ActiveRecord::RecordNotFound
                 render_404
               end
               REV_PARAM_RE = %r{\A[a-f0-9]*\Z}i
               def find_project_repository
                 @project = Project.find(params[:id])
                 if params[:repository_id].present?
                   @repository = @project.repositories.find_by_identifier_param(params[:repository_id])
                 else
                   @repository = @project.repository
                 end
                 (render_404; return false) unless @repository
                 @path = params[:path].is_a?(Array) ? params[:path].join('/') : params[:path].to_s
                 @rev = params[:rev].blank? ? @repository.default_branch : params[:rev].to_s.strip
                 @rev_to = params[:rev_to]
                 unless @rev.to_s.match(REV_PARAM_RE) && @rev_to.to_s.match(REV_PARAM_RE)
                   if @repository.branches.blank?
                     raise InvalidRevisionParam
                   end
                 end
               rescue ActiveRecord::RecordNotFound
                 render_404
               rescue InvalidRevisionParam
                 show_error_not_found
               end
               def find_changeset
                 if @rev.present?
                   @changeset = @repository.find_changeset_by_name(@rev)
                 end
                 show_error_not_found unless @changeset
               end
               def show_error_not_found
                 render_error :message => l(:error_scm_not_found), :status => 404
               end
               # Handler for Redmine::Scm::Adapters::CommandFailed exception
               def show_error_command_failed(exception)
                 render_error l(:error_scm_command_failed, exception.message)
               end
               def graph_commits_per_month(repository)
                 @date_to = User.current.today
                 @date_from = @date_to << 11
                 @date_from = Date.civil(@date_from.year, @date_from.month, 1)
                 commits_by_day = Changeset.
                   where("repository_id = ? AND commit_date BETWEEN ? AND ?", repository.id, @date_from, @date_to).
                   group(:commit_date).
                   count
                 commits_by_month = [0] * 12
                 commits_by_day.each {|c| commits_by_month[(@date_to.month - c.first.to_date.month) % 12] += c.last }
                 changes_by_day = Change.
                   joins(:changeset).
                   where("#{Changeset.table_name}.repository_id = ? AND #{Changeset.table_name}.commit_date BETWEEN ? AND ?", repository.id, @date_from, @date_to).
                   group(:commit_date).
                   count
                 changes_by_month = [0] * 12
                 changes_by_day.each {|c| changes_by_month[(@date_to.month - c.first.to_date.month) % 12] += c.last }
                 fields = []
                 today = User.current.today
 .times {|m| fields << month_name(((today.month - 1 - m) % 12) + 1)}
                 graph = SVG::Graph::Bar.new(
                   :height => 300,
                   :width => 800,
                   :fields => fields.reverse,
                   :stack => :side,
                   :scale_integers => true,
                   :step_x_labels => 2,
                   :show_data_values => false,
                   :graph_title => l(:label_commits_per_month),
                   :show_graph_title => true
                 )
                 graph.add_data(
                   :data => commits_by_month[0..11].reverse,
                   :title => l(:label_revision_plural)
                 )
                 graph.add_data(
                   :data => changes_by_month[0..11].reverse,
                   :title => l(:label_change_plural)
                 )
                 graph.burn
               end
               def graph_commits_per_author(repository)
                 #data
                 stats = repository.stats_by_author
                 fields, commits_data, changes_data = [], [], []
                 stats.each do |name, hsh|
                   fields << name
                   commits_data << hsh[:commits_count]
                   changes_data << hsh[:changes_count]
                 end
                 #expand to 10 values if needed
                 fields = fields + [""]*(10 - fields.length) if fields.length<10
                 commits_data = commits_data + [0]*(10 - commits_data.length) if commits_data.length<10
                 changes_data = changes_data + [0]*(10 - changes_data.length) if changes_data.length<10
                 # Remove email address in usernames
                 fields = fields.collect {|c| c.gsub(%r{<.+@.+>}, '') }
                 #prepare graph
                 graph = SVG::Graph::BarHorizontal.new(
                   :height => 30 * commits_data.length,
                   :width => 800,
                   :fields => fields,
                   :stack => :side,
                   :scale_integers => true,
                   :show_data_values => false,
                   :rotate_y_labels => false,
                   :graph_title => l(:label_commits_per_author),
                   :show_graph_title => true
                 )
                 graph.add_data(
                   :data => commits_data,
                   :title => l(:label_revision_plural)
                 )
                 graph.add_data(
                   :data => changes_data,
                   :title => l(:label_change_plural)
                 )
                 graph.burn
               end
               def disposition(path)
-                if Redmine::MimeType.is_type?('image', @path) || Redmine::MimeType.of(@path) == "application/pdf"
+                if Redmine::MimeType.of(@path) == "application/pdf"
                   'inline'
                 else
                   'attachment'
                 end
               end
             end

General Comments 0

Write
Preview

You need to be logged in to leave comments. Login now

No TODOs yet

	Site-wide shortcuts
/	Use quick search box
g h	Goto home page
g g	Goto my private gists page
g G	Goto my public gists page
g 0-9	Goto bookmarked items from 0-9
n r	New repository page
n g	New gist page

	Repositories
g s	Goto summary page
g c	Goto changelog page
g f	Goto files page
g F	Goto files page with file search activated
g p	Goto pull requests page
g o	Goto repository settings
g O	Goto repository access permissions settings
t s	Toggle sidebar on some pages