[tahoe-lafs-trac-stream] [tahoe-lafs] #1828: Problem with linked images' display in rst docs from trac
tahoe-lafs
trac at tahoe-lafs.org
Mon Jun 17 23:48:45 UTC 2013
#1828: Problem with linked images' display in rst docs from trac
-------------------------+--------------------------
Reporter: mk.fg | Owner: zooko
Type: defect | Status: assigned
Priority: minor | Milestone: undecided
Component: website | Version: n/a
Resolution: | Keywords: website docs
Launchpad Bug: |
-------------------------+--------------------------
Comment (by nejucomo):
+1 for zooko's proposed solution of a separate upload, because it seems
simplest to implement.
To me, it seems the "cleanest" approach is to add logic to the trac
renderer which knows to point any relative links in the rst to the raw url
(`.../export/...` rather than `.../browser/...`). This seems like a
general feature the trac renderer would benefit from.
As for the XSS vulnerability: We already have that because of the
`.../export/...` feature which spits out raw files. The renderer is just
a different vector, which is more complicated to attack. This means we
rely on all committers to omit malicious files anywhere in the repository,
where "malicious file" means it would abuse a web-site viewer's account or
resources.
I'm going to spend a little while tomorrow investigating trac config and
features to see if it has my proposed "clean" solution, and if not, I'd
advocate Zooko's proposal of a simple static directory where we upload
generated results of doc rendering. This could possibly be triggered by
some git hook associated with a pre-existing repository on that box.
One downside of this approach is that people may still browse and link to
the trac-rendered, broken documentation.
--
Ticket URL: <https://tahoe-lafs.org/trac/tahoe-lafs/ticket/1828#comment:14>
tahoe-lafs <https://tahoe-lafs.org>
secure decentralized storage
More information about the tahoe-lafs-trac-stream
mailing list