Edgewall Software
Modify

Opened 18 years ago

Closed 17 years ago

#5557 closed defect (worksforme)

[PATCH]: Attachment download missing 'filename=' in header

Reported by: osimons <simon-code@…> Owned by: Jonas Borgström
Priority: normal Milestone:
Component: attachment Version: 0.10-stable
Severity: normal Keywords: attachment
Cc: Branch:
Release Notes:
API Changes:
Internal Changes:

Description

Following [4946] an important piece of information for downloading attachments disappeared, and at least on IE7 the download/save dialogue is:

  • only providing save option, and not the usual 'Open/Run' or 'Save'.
  • missing file ending, so if you try to download 'mytool.exe' it will try to save only 'mytool' - having to add the ending manually, and regardless of file type.
  • and, it will not recognize the file type, always listing it as 'Unknown File Type'.

Here is tested patch for 0.10-stable:

  • trac-0.10-stable/trac/attachment.py

     
    561561                    # Force browser to download files instead of rendering
    562562                    # them, since they might contain malicious code enabling
    563563                    # XSS attacks
    564                     req.send_header('Content-Disposition', 'attachment')
     564                    req.send_header('Content-Disposition', 'attachment; ' +
     565                                    'filename=' + attachment.filename)
    565566                if format == 'txt':
    566567                      mime_type = 'text/plain'
    567568                elif not mime_type:

In all other modules where there is download, this seems to be correct - if the file is placed in htdocs and served through Chrome, it provides correct information. Also trying to download files in original format from wiki, browser and so on.

Patch tested on IE, Firefox, Camino and Safari.

Attachments (0)

Change History (3)

comment:1 by Christian Boos, 18 years ago

Keywords: attachment added

(digging in my mailbox)

(jonas)

(cmlenz)

(jonas' patch)
+ # XSS attacks
+ req.send_header('Content-Disposition', 'attachment')

Why's there no filename parameter for this one?

Since it's not really needed. Browsers fallback on the last segment of the url. And as far as I know all three major browsers expect non-ascii filenames to be escaped in different ways. So there is no good way to generate a valid filename parameter without looking at the user agent string.

So can you test your patch with a filename containing unicode characters, to check whether your patch still works or fails as jonas predicted?

Besides attachments, a similar change occurred in the browser module.

comment:2 by osimons <simon-code@…>, 18 years ago

Have tested it - uploading a unicode filname from osx, and downloading on pc. The patch works in that it provides the open/run and save buttons, correct filetype and ending and so on.

However, the filename does get a bit garbled - some tiny changes moving between platforms, and more through the open/save dialogue. Without the patch the trac display and windows save filename are the same (only platform-garbling :-).

The same behavior is used at:

All of these can have a unicode string as the filename, I suppose.

comment:3 by osimons, 17 years ago

Component: generalattachment
Resolution: worksforme
Status: newclosed

Wonder what happened to here. Using current current trunk and current IE7 this does not seem to be a problem any more. The Open/Run + Save dialogue looks just fine.

I don't actually know why, but anyway I'm happy to close this as 'worksforme' using latest versions.

Modify Ticket

Change Properties
Set your email in Preferences
Action
as closed The owner will remain Jonas Borgström.
The resolution will be deleted. Next status will be 'reopened'.
to The owner will be changed from Jonas Borgström to the specified user.

Add Comment


E-mail address and name can be saved in the Preferences .
 
Note: See TracTickets for help on using tickets.