recaptime.dev / phorge
@recaptime-dev's working patches + fork for Phorge, a community fork of Phabricator. (Upstream dev and stable branches are at upstream/main and upstream/stable respectively.) hq.recaptime.dev/wiki/Phorge
phorge phabricator
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Enforce viewable MIME types config on PDF documents

Summary:
Let instance admins decide whether to allow PDFs to be viewable as a Web page. See <https://github.com/mozilla-conduit/phabricator/commit/5ec132bf9ebfb90558f1b7f646772176629f86d0>.

MOZILLA: Instead of always allowing PDFs to be viewable in the web UI, [...]
This checks that the PDF mimetype is viewable according to the system
configuration.

Ref Q83.

Test Plan:
1. Set `files.viewable-mime-types` to exclude application/pdf.
2. Upload a pdf file.
3. See "No document engine can render the contents of this file." in web UI.

Reviewers: O1 Blessed Committers, speck

Reviewed By: O1 Blessed Committers, speck

Subscribers: speck, tobiaswiese, valerio.bozzolan, Matthew, Cigaryno

Differential Revision: https://we.phorge.it/D25464

Zero King 16d9cc12 5d80b3fd

+14 -10
+5 -3
src/applications/files/config/PhabricatorFilesConfigOptions.php
··· 134 134 ->setDescription( 135 135 pht( 136 136 "Configure which uploaded file types may be viewed directly ". 137 - "in the browser. Other file types will be downloaded instead ". 138 - "of displayed. This is mainly a usability consideration, since ". 139 - "browsers tend to freak out when viewing very large binary files.". 137 + "in the browser. Other types will be downloaded instead of ". 138 + "displayed. This is a usability and security consideration, ". 139 + "since browsers tend to freak out when viewing very large ". 140 + "binary files, and some types may be vulnerable to XSS attacks ". 141 + "when viewed in a browser.". 140 142 "\n\n". 141 143 "The keys in this map are viewable MIME types; the values are ". 142 144 "the MIME types they are delivered as when they are viewed in ".
+9 -7
src/applications/files/document/PhabricatorPDFDocumentEngine.php
··· 14 14 } 15 15 16 16 protected function canRenderDocumentType(PhabricatorDocumentRef $ref) { 17 - // Since we just render a link to the document anyway, we don't need to 18 - // check anything fancy in config to see if the MIME type is actually 19 - // viewable. 17 + $viewable_types = PhabricatorEnv::getEnvConfig('files.viewable-mime-types'); 18 + $viewable_types = array_keys($viewable_types); 20 19 21 - return $ref->hasAnyMimeType( 22 - array( 23 - 'application/pdf', 24 - )); 20 + $pdf_types = array( 21 + 'application/pdf', 22 + ); 23 + 24 + return 25 + $ref->hasAnyMimeType($viewable_types) && 26 + $ref->hasAnyMimeType($pdf_types); 25 27 } 26 28 27 29 protected function newDocumentContent(PhabricatorDocumentRef $ref) {