Fix issue 2550848: HTML attachments should not be served as text/html

This adds whitelist of safe extensions based on analysis of all
committed mime-types to bugs.python.org and issues.roun...org

In future whitelist can be turned off with option
'render_unsafe_content' (like in Trac), but adding this new
feature requires minor version bump.

Author: techtonik

CHANGES.txt

@@ -120,13 +120,6 @@ Fixed:
   include the email addresses, depending on your installation you may
   want to further restrict this or add some attributes like ``address``
   and ``alternate_addresses``. (Ralf Schlatterbeck)
-- Security: Attached html files are not shipped as text/html by default,
-  unless ``allow_html_file`` is specified in the configuration.
-  Unfortunately some browsers want to be helpful and render other
-  non-standard content types as html. We now change this to
-  application/octet-stream whenever 'html' is contained in the string
-  (case insensitive). Thanks to Kay Hayen for reporting and helping
-  debug this. (Ralf Schlatterbeck)
 - Correctly recreate the database directory when re-initialising a tracker
   instance. (John Kristensen)
 - In case of an error, date fields would lose the calendar help, fixed.
@@ -140,6 +133,13 @@ Fixed:
   restore web presence for "Roundup�s Design Document" (anatoly techtonik)
 - Template jinja2: Updated URL to point to http://www.roundup-tracker.org/
   (Bernhard Reiter)
+- Security: Add mime-type whitelist for attachmens that can be safely
+  rendered from Roundup without trigerring security bugs in browser
+  plugins, XSS issues and spam. The option ``allow_html_file`` didn't
+  provide protection for invalid content-type, in which case browser
+  tried to guess the best one. Thanks to Kay Hayen for reporting and
+  helping debug this. issue2550848 (Ralf Schlatterbeck, anatoly techtonik)
+
 
 
 2013-07-06: 1.5.0

roundup/cgi/client.py

@@ -972,6 +972,32 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
             raise Unauthorised(self._("You are not allowed to view "
                 "this file."))
 
+
+        # --- mime-type security
+        # mime type detection is performed in cgi.form_parser
+
+        # everything not here is served as 'application/octet-stream'
+        whitelist = [
+            'text/plain',
+            'text/x-csrc',   # .c
+            'text/x-chdr',   # .h
+            'text/x-patch',  # .patch and .diff
+            'text/x-python', # .py
+            'text/xml',
+            'text/csv',
+            'text/css',
+            'application/pdf',
+            'image/gif',
+            'image/jpeg',
+            'image/png',
+            'image/webp',
+            'audio/ogg',
+            'video/webm',
+        ]
+
+        if self.instance.config['WEB_ALLOW_HTML_FILE']:
+            whitelist.append('text/html')
+
         try:
             mime_type = klass.get(nodeid, 'type')
         except IndexError, e:
@@ -980,12 +1006,11 @@ def serve_file(self, designator, dre=re.compile(r'([^\d]+)(\d+)')):
         if not mime_type:
             mime_type = 'text/plain'
 
-        # if the mime_type is HTML-ish then make sure we're allowed to serve up
-        # HTML-ish content
-        if 'html' in str (mime_type).lower () :
-            if not self.instance.config['WEB_ALLOW_HTML_FILE']:
-                # do NOT serve the content up as HTML
-                mime_type = 'application/octet-stream'
+        if mime_type not in whitelist:
+            mime_type = 'application/octet-stream'
+
+        # --/ mime-type security
+
 
         # If this object is a file (i.e., an instance of FileClass),
         # see if we can find it in the filesystem.  If so, we may be