Issue 2550897: Add config option to set allow_list for acceptable mime types to serve. - A better solution for serving html attachments - Roundup tracker

classification

Title:	Add config option to set allow_list for acceptable mime types to serve. - A better solution for serving html attachments
Type:	security	Severity:	normal
Components:	Web interface	Versions:	devel

process

Status:	fixed	Resolution:	fixed
Dependencies		Superseder:
Assigned To:	rouilj	Nosy List:	ber, rouilj
Priority:	normal	Keywords:	StarterTicket

Created on 2015-12-02 20:08 by ber, last changed 2024-07-17 00:35 by rouilj.

Messages
msg5393	Author: [hidden] (ber)	Date: 2015-12-02 20:08
In msg5188 of issue2550848 a better solution is outlined. This is the issue to track it.
msg5838	Author: [hidden] (rouilj)	Date: 2016-07-12 01:03
How does the following sound. We keep the default whitelist and replace allow_html_file with two options: # Roundup has a whitelist of mime types that it will serve. If a # file's mime type is in the whitelist, it will be served using the # mime type. If the file type is not in the whitelist, the file will # be served with type application/octet-stream. # If you want to override the whitelist, set this to no and set the # mime types in serve_mime_types. use_default_whitelist = yes # A comma separated list of mime types that will be served by roundup. # If use_default_whitelist is yes, these will be added to the default # whitelist. Otherwise they will be the only types that are not # served as application/octet-stream. serve_mime_types = Thoughts?
msg7528	Author: [hidden] (rouilj)	Date: 2022-05-15 17:31
Bern, Any thoughts on my suggestion of adding use_default_whitelist and serve_mime_types? I wonder if setting serve_mime_types should just override the default list making use_default_whitelist unneeded? Should serve_mime_types be renamed somehow? allowed_serve_mine_types maybe?
msg8108	Author: [hidden] (rouilj)	Date: 2024-07-17 00:35
In release 2.4.0, the allowed list is exposed at the class level and can be manipulated via interfaces.py. See doc at: https://www.roundup-tracker.org/docs/admin_guide.html#controlling-browser-handling-of- attached-files I don't expect this will be customized often, so leave this as an interfaces tweak rather than config file. It keeps the allow_html_file config.ini setting.

History
Date	User	Action	Args
2024-07-17 00:35:36	rouilj	set	status: new -> fixed title: Add config option to set whitelist for acceptable mime types to serve. - A better solution for serving html attachments -> Add config option to set allow_list for acceptable mime types to serve. - A better solution for serving html attachments resolution: fixed messages: + msg8108 assignee: rouilj type: security
2022-05-15 17:31:56	rouilj	set	keywords: + StarterTicket messages: + msg7528 title: Add config option to set whitelist for acceptable mime types. - A better solution for serving html attachments -> Add config option to set whitelist for acceptable mime types to serve. - A better solution for serving html attachments
2016-07-12 01:03:45	rouilj	set	nosy: + rouilj messages: + msg5838 title: A better solution for serving html attachments -> Add config option to set whitelist for acceptable mime types. - A better solution for serving html attachments
2015-12-02 20:08:58	ber	create