[Gforge-devel] RE: Porn on GForge.org
Robert Nelson
robertn at the-nelsons.org
Wed Mar 14 18:37:43 EDT 2007
> -----Original Message-----
> From: gforge-devel-bounces at lists.gforge.org [mailto:gforge-devel-
> bounces at lists.gforge.org] On Behalf Of Tim Perdue
> Sent: Sunday, March 11, 2007 7:32 AM
> To: gforge-devel at lists.gforge.org
> Subject: Re: [Gforge-devel] RE: Porn on GForge.org
>
> Robert Nelson wrote:
> > I just committed a fix to download.php that adds the requirement that
> the
> > user be logged in to download files. I also changed the disposition
> from
> > the filename to "attachment". This causes the browser to always ask
> whether
> > to open or save the file.
> >
> > My suggestion to change the Content-Type header didn't help for all the
> > browsers in all situations.
> >
> > I committed this change to both the trunk and the 4.6 branch.
> >
> > It should probably also go into the 4.5 branch.
>
> Thanks, did you add to the doc mgr, forums, snippets, frs ?
>
> Those are potential trouble spots too. FRS and Doc Mgr need an admin to
> approve the file so it's not as much of a problem.
>
I have fixes for all of these. The changes I made were primarily to add
attachment to Content-disposition. This ensures that the user is prompted
whether to download or open the file. This reduces the chances of malicious
attachments being processed on users' machines without their interaction.
I changed Forum and Tracker attachment downloads so the user must be logged
in. I didn't require the user to be logged in to download FRS or DocMan
files since these must be either uploaded or approved by an admin or project
member. I felt that requiring a logged in user would interfere with
automated downloads and installations.
I also enhanced the snippets so that the suggested filename is snippet_$id
with the language specific extension appended, for example snippet_1.c.
Should I commit all these changes to the 4.6 branch?
> --
> Tim Perdue,
> http://gforgegroup.com
>
> PH 515-554-9520
> FAX 504-910-3655
> _______________________________________________
> Gforge-devel mailing list
> Gforge-devel at lists.gforge.org
> http://lists.gforge.org/mailman/listinfo/gforge-devel
More information about the Gforge-devel
mailing list