1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
|
From 15d0ea8c596f306131de2bd7edd1ae28ff122103 Mon Sep 17 00:00:00 2001
From: Go MAEDA <maeda@farend.jp>
Date: Mon, 18 Sep 2023 02:26:15 +0000
Subject: [PATCH] Merged r22294 and r22295 from trunk to 5.0-stable (#38417).
git-svn-id: https://svn.redmine.org/redmine/branches/5.0-stable@22296 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
app/controllers/attachments_controller.rb | 7 ++++++-
app/controllers/repositories_controller.rb | 5 +++++
2 files changed, 11 insertions(+), 1 deletion(-)
diff --git a/app/controllers/attachments_controller.rb b/app/controllers/attachments_controller.rb
index c991fce0674..e3d3c5bd4ec 100644
--- a/app/controllers/attachments_controller.rb
+++ b/app/controllers/attachments_controller.rb
@@ -89,7 +89,7 @@ def thumbnail
tbnail,
:filename => filename_for_content_disposition(@attachment.filename),
:type => detect_content_type(@attachment, true),
- :disposition => 'inline')
+ :disposition => 'attachment')
end
else
# No thumbnail for the attachment or thumbnail could not be created
@@ -321,4 +321,9 @@ def raw_request_body
request.raw_post
end
end
+
+ def send_file(path, options={})
+ headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+ super
+ end
end
diff --git a/app/controllers/repositories_controller.rb b/app/controllers/repositories_controller.rb
index 0e83bfa1ec2..147a60c1206 100644
--- a/app/controllers/repositories_controller.rb
+++ b/app/controllers/repositories_controller.rb
@@ -433,6 +433,11 @@ def disposition(path)
end
end
+ def send_file(path, options={})
+ headers['content-security-policy'] = "default-src 'none'; style-src 'unsafe-inline'; sandbox"
+ super
+ end
+
def valid_name?(rev)
return true if rev.nil?
return true if REV_PARAM_RE.match?(rev)
|
