h2o
June 3, 2021, 11:41am
42
tmassman:
The problem is that with this patch we a) decrease the user experience — e.g. PDFs can not be viewed in the browser anymore, they have to be downloaded (and the downloaded PDF might be viewed in the browser, but not the online version)
A client reported the same issue yesterday. The portal is a Plone 4.3 site. Some PDF files using @@display-view will cause a download. Others display on the browser. What I have noticed is that files that resulted in a download had the extra header:
content-disposition: attachment; filename="some.pdf"
mauritsvanrees:
PDF seems safe to add there yes. A patch in your own code could work, something like this (untested):
from Products.PloneHotfix20210518 import namedfile
namedfile.ALLOWED_INLINE_MIMETYPES.append("application/pdf")
The above resolved the issue and PDF files now display inline instead of being downloaded.
1 Like
jensens
June 4, 2021, 8:10am
43
Same here, I had a customer complaining about PDF downloads. The above lines are fixing it.
Technically, PDFs could be vulnerable too. See https://owasp.org/www-pdf-archive/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf
I do wonder about changing the hotfix to optionally use a short blacklist instead of the current whitelist, triggered by an OS environment variable. Would that help?
Blacklist would be:
application/javascript
application/x-javascript
text/javascript
text/html
image/svg+xml
image/svg+xml-compressed
I hope we have them all then... I have these from http://localhost:8080/Plone/mimetypes_registry/manage_main
mauritsvanrees:
You are right. I didn't realise that the hotfix would make the inline diff and code diff that much alike. Well, there are still differences, but with the hotfix the inline diff shows html code, so it has gotten uglier.
Here is the PR for merging the hotfix into Products.CMFDiffTool. After this is merged, someone could try to improve it.
I have a PR to improve this and use the safe html transform for the inline diff of rich text fields:
plone:master ← plone:maurits/use-safe-html-transform
opened 11:06PM - 04 Jun 21 UTC
The changes from PloneHotfix20210518 1.0 were taken over in PR #39.
But this ma… kes the inline diff of rich text fields look almost the same as the code diff. In other words: it is not actually inline anymore. See report on [community](https://community.plone.org/t/security-patch-released-20210518/13841/29?u=mauritsvanrees) by @pgrunewald
It took me a while to realise that this is only a problem for rich text fields, not for other fields.
With the current PR, we have two functions:
- `html_escape` (called `html_encode` in the hotfix): escape html, for example turn `<` into `<`
- `html_safe`: return html with dangerous tags removed, using safe html transform.
We use `html_escape` everywhere, except in rich text fields, where we use `html_safe`.
I want to add this to a new version of the hotfix as well.
I may add that to a new version of the hotfix as well.
tkimnguyen
June 14, 2021, 3:40pm
46
