refactor: make mime_type_allowlist class prop to configure from interfaces.py

rouilj · rouilj · commit db074fc94859 · 2024-06-17T23:35:03.000-04:00
The list of mime types that are served to the browser was located in a
list inside a function. The allow_html_file setting provided a limited
mechanism to add/remove the text/html mime type from the list.

Move the list from the function to the Client class level so that the
admin can add/remove from the list as required using interfaces.py.

Also remove application/pdf by default and provide docs in
admin_guide.txt on how to reenable viewing pdf's in the browser.
diff --git a/doc/admin_guide.txt b/doc/admin_guide.txt
@@ -324,6 +324,47 @@ get the gzip version and not a brotli compressed version. This
 mechanism allows the admin to allow use of brotli and zstd for
 dynamic content, but not for static content.
 
+.. _browser_handling_attached_files:
+
+.. index:: single: interfaces.py; Controlling browser handling of attached files
+
+Controlling Browser Handling of Attached Files
+==============================================
+
+You may be aware of the ``allow_html_file`` `config.ini setting
+<reference.html#config-ini-section-web>`_. When set to yes, it permits
+html files to be attached and displayed in the browser as html
+files. The underlying mechanism used to enable/disable attaching HTML
+is exposed using ``interfaces.py``.
+
+Similar to ``Client.precompressed_mime_types`` above, there is a
+``Client.mime_type_allowlist``. If a mime type is present in this
+list, an attachment with this mime type is served to the browser. If
+the mime type is not present, the mime type is set to
+``application/octet-stream`` which causes the browser to download the
+attachment to a file.
+
+In release 2.4.0, the mime type ``application/pdf`` was removed from
+the precompressed_mime_types list. This prevents the browser from
+executing scripts that may be included in the PDF file. If you trust
+the individuals uploading PDF files to your tracker and wish to allow
+viewing PDF files from your tracker, you can do so by editing your
+tracker's "interfaces.py" file. Adding::
+
+  from roundup.cgi.client import Client
+  Client.mime_type_allowlist.append('application/pdf')
+
+will permit the PDF files to be viewed in the browser rather than
+downloaded to a file.
+
+Similarly, you can remove a mime type (e.g. audio/oog) using::
+
+  from roundup.cgi.client import Client
+  Client.mime_type_allowlist.remove('audio/oog')
+
+which will force the browser to save the attachment to a file rather
+than playing the audio file.
+
 .. index:: single: interfaces.py; setting REST maximum result limit
 
 Configuring REST Maximum Result Limit
diff --git a/roundup/cgi/client.py b/roundup/cgi/client.py
@@ -373,6 +373,32 @@ class Client:
     except ImportError:
         pass
 
+    # everything not here is served as 'application/octet-stream'
+    # Moved to class so it can be modified from interfaces.py
+    # Adding:
+    #  from roundup.cgi.client import Client
+    #  Client.mime_type_allowlist.append('application/pdf')
+    # will permit pdf files to be displayed in the browser rather than
+    # downloaded to a file.
+
+    mime_type_allowlist = [
+        'text/plain',
+        'text/x-csrc',    # .c
+        'text/x-chdr',    # .h
+        'text/x-patch',   # .patch and .diff
+        'text/x-python',  # .py
+        'text/xml',
+        'text/csv',
+        'text/css',
+        'image/gif',
+        'image/jpeg',
+        'image/png',
+        'image/svg+xml',
+        'image/webp',
+        'audio/ogg',
+        'video/webm',
+    ]
+
     # mime types of files that are already compressed and should not be
     # compressed on the fly. Can be extended/reduced using interfaces.py.
     # This excludes types from being compressed. Should we have a list
@@ -1859,28 +1885,8 @@ def serve_file(self, designator, dre=dre):
         # --- mime-type security
         # mime type detection is performed in cgi.form_parser
 
-        # everything not here is served as 'application/octet-stream'
-        mime_type_allowlist = [
-            'text/plain',
-            'text/x-csrc',    # .c
-            'text/x-chdr',    # .h
-            'text/x-patch',   # .patch and .diff
-            'text/x-python',  # .py
-            'text/xml',
-            'text/csv',
-            'text/css',
-            'application/pdf',
-            'image/gif',
-            'image/jpeg',
-            'image/png',
-            'image/svg+xml',
-            'image/webp',
-            'audio/ogg',
-            'video/webm',
-        ]
-
         if self.instance.config['WEB_ALLOW_HTML_FILE']:
-            mime_type_allowlist.append('text/html')
+            self.mime_type_allowlist.append('text/html')
 
         try:
             mime_type = klass.get(nodeid, 'type')
@@ -1890,7 +1896,7 @@ def serve_file(self, designator, dre=dre):
         if not mime_type:
             mime_type = 'text/plain'
 
-        if mime_type not in mime_type_allowlist:
+        if mime_type not in self.mime_type_allowlist:
             mime_type = 'application/octet-stream'
 
         # --/ mime-type security
