Should show images

Bug #388661 reported by Alexandre Garnier on 2009-06-17
22
This bug affects 3 people
Affects Status Importance Assigned to Milestone
loggerhead
Wishlist
Unassigned
loggerhead-breezy
Wishlist
Unassigned

Bug Description

Images are binaries displayable by the browser, so loggerhead should show them in :
* revision view with old in red background and new in green background
* annotate view

On Wed, 2009-06-17 at 20:46 +0000, Alexandre Garnier wrote:
> Public bug reported:
>
> Images are binaries displayable by the browser, so loggerhead should show them in :
> * revision view with old in red background and new in green background
> * annotate view

Images are likely a huge risk for content-sniffing attacks. The
content-sniffing behaviour analysis done by google and in discussion on
the IETF-HTTP-wg list should be consulted before considering doing this.

-Rob

Martin Pool (mbp) wrote :

The risk as I understand it is: someone commits an image into a branch
on Launchpad (for example) that actually contains malicious content
that does a cross-site scripting attack that steals the viewer's
Launchpad credentials.

Alexandre Garnier (zigarn) wrote :

Maybe add an option to deactivate it in sensible environments.
In my case, loggerhead is used at work for private repository without that kind of risk.

Yes an option would make sense to me.

As a future feature, loggerhead could have another option to check the
image is valid (eg by calling out to "jpeginfo -c").

Michael Hudson-Doyle (mwhudson) wrote :

I think a --trust-content flag would be nice.

Changed in loggerhead:
importance: Undecided → Medium
status: New → Triaged
Max Kanat-Alexander (mkanat) wrote :

We don't show them in /annotate/ or /revision/ yet, but they are displayable if you use /raw/ now, on trunk.

Changed in loggerhead:
assignee: nobody → Max Kanat-Alexander (mkanat)
status: Triaged → Fix Committed
status: Fix Committed → Triaged
assignee: Max Kanat-Alexander (mkanat) → nobody
importance: Medium → Wishlist
Jelmer Vernooij (jelmer) on 2018-10-20
Changed in loggerhead-breezy:
status: New → Triaged
importance: Undecided → Wishlist
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Duplicates of this bug

Other bug subscribers