Security patch released 20210518

A client reported the same issue yesterday. The portal is a Plone 4.3 site. Some PDF files using @@display-view will cause a download. Others display on the browser. What I have noticed is that files that resulted in a download had the extra header:

content-disposition: attachment; filename="some.pdf"

The above resolved the issue and PDF files now display inline instead of being downloaded.

Same here, I had a customer complaining about PDF downloads. The above lines are fixing it.

Technically, PDFs could be vulnerable too. See https://owasp.org/www-pdf-archive/OWASP_IL_The_Universal_XSS_PDF_Vulnerability.pdf
But that was a bug when 􏰀Adobe Acrobat Reader was used to view the PDF in the browser, and this program has meanwhile been patched. I don't see when this was though.

I do wonder about changing the hotfix to optionally use a short blacklist instead of the current whitelist, triggered by an OS environment variable. Would that help?

Blacklist would be:

application/javascript
application/x-javascript
text/javascript
text/html
image/svg+xml
image/svg+xml-compressed

I hope we have them all then... I have these from http://localhost:8080/Plone/mimetypes_registry/manage_main

I have a PR to improve this and use the safe html transform for the inline diff of rich text fields:

I may add that to a new version of the hotfix as well.

A post was split to a new topic: Security patch 20210518 version 1.4 released

:partying_face: