Opened at 2012-10-25T14:03:22Z
Last modified at 2016-03-27T18:58:27Z
#1828 closed defect
Problem with linked images' display in rst docs from trac — at Version 12
| Reported by: | mk.fg | Owned by: | zooko |
|---|---|---|---|
| Priority: | minor | Milestone: | undecided |
| Component: | website | Version: | n/a |
| Keywords: | website docs | Cc: | mk.fraggod@…, zooko |
| Launchpad Bug: |
Description (last modified by zooko)
For example, it can be seen on docs/specifications/file-encoding.rst. Following code appears there:
<img alt="file-encoding1.svg" src="file-encoding1.svg" />
URL in "src" attribute now leads to HTML page of trac (with embedded image), but should lead to raw image itself for it to be rendered.
Change History (12)
comment:1 Changed at 2012-10-25T14:06:16Z by mk.fg
- Cc mk.fraggod@… added
- Keywords website docs added
comment:2 Changed at 2012-10-25T15:55:42Z by davidsarah
comment:3 Changed at 2012-10-25T18:14:44Z by mk.fg
I vaguely remember that the images were displayed on docs in the past, so I'd guess maybe some configuration bits from darcs plugin were not applied to git.
Ideally, I imagine it might have a whitelist of mime-types (like "image/*") or file patterns (like "*.{jpg,png,svg}") to serve raw, but lacking that I can imagine a following workaround (nginx config syntax):
location ~ ^/trac/tahoe-lafs/browser/git/docs/(\S+\.(svg|png|jpg|gif))$ {
uwsgi_param REQUEST_URI /trac/tahoe-lafs/export/master/git/docs/$1;
uwsgi_param PATH_INFO /trac/tahoe-lafs/export/master/git/docs/$1;
uwsgi_pass unix:/run/uwsgi/trac.sock;
}
location / {
... block for the rest of the urls
}
(nginx seem to be advertised in the response headers)
I think it'd only introduce a little bit of unexpected behavior for users who might browse git tree and expect intermediate page for images, not the raw entities, but I think it shouldn't be that much of a problem either (browsers seem to handle images w/o html wrapping).
comment:4 Changed at 2012-10-25T18:22:57Z by zooko
- Cc zooko added
- Owner set to zooko
- Status changed from new to assigned
comment:5 Changed at 2012-10-25T18:24:10Z by zooko
mk-fg: I'm willing to try some tweak to the nginx/uwsgi configuration, but what should it be, exactly? To make all .svg's and .jpg's be served raw by nginx? Or maybe configure trac to render them when it serves them?
comment:6 Changed at 2012-10-25T18:52:14Z by mk.fg
Apologies for snippet being unhelpful, should've explained it with words.
The above tweak doesn't make nginx serve files as such, they are still served by trac, just as per the following link:
https://tahoe-lafs.org/trac/tahoe-lafs/export/master/git/docs/specifications/file-encoding1.svg
What it does is for any uri like "/trac/tahoe-lafs/browser/git/docs/specifications/file-encoding1.svg" (matching regexp pattern in the location block) to pass uri like "/trac/tahoe-lafs/export/master/git/docs/specifications/file-encoding1.svg" to uwsgi and trac, so it will serve the raw file back to nginx.
I.e. it doesn't work around trac (which might be a bad idea, and probably not so easy to do for a bare git repo), so all the trac checks and tricks are in place, and it will only apply to "docs/" path in git.
I'm afraid I'm not aware of a way to make trac serve raw images by default and looking over git configuration section in a trac I maintain, I can't see any option to make it do that (as I think it did with darcs), but if such option exists, imho it might be a bit more consistent solution, though maybe a bit less convenient since it might be undesirable to display raw image attachments in wiki and tickets.
Does it make any sense?
comment:7 Changed at 2012-10-25T19:02:56Z by mk.fg
Forgot to mention the downside, which probably should be considered.
Links like this one with images embedded have info about git revision these images came from and related links for revision/repo navigation, which will be inaccessible if such links will always be served raw.
Should still be possible to get to any revision by other means and pick the image there, but if this interface is commonly used (more so than docs with embedded images), proposed change might be undesirable.
comment:8 follow-up: ↓ 9 Changed at 2012-10-25T20:52:36Z by davidsarah
Note that SVGs allow scripts, so serving them raw would in fact introduce an XSS vulnerability.
comment:9 in reply to: ↑ 8 ; follow-up: ↓ 10 Changed at 2012-10-25T20:53:59Z by davidsarah
Replying to davidsarah:
Note that SVGs allow scripts, so serving them raw would in fact introduce an XSS vulnerability.
... which we may already be vulnerable to.
comment:10 in reply to: ↑ 9 ; follow-up: ↓ 11 Changed at 2012-10-26T00:25:44Z by mk.fg
Replying to davidsarah:
Note that SVGs allow scripts, so serving them raw would in fact introduce an XSS vulnerability.
... which we may already be vulnerable to.
Whoa, you're right, didn't know about that at all.
But I still think benefits far outweight the risks in this case ;)
And it shouldn't be that dangerous coming from tahoe git. Trac shouldn't be that high-value target to worry about anything more sophisticated than wide-spectrum spam botnets, I think.
comment:11 in reply to: ↑ 10 Changed at 2012-10-26T00:30:13Z by mk.fg
Replying to mk.fg:
Replying to davidsarah:
Note that SVGs allow scripts, so serving them raw would in fact introduce an XSS vulnerability.
... which we may already be vulnerable to.
Whoa, you're right, didn't know about that at all.
But I still think benefits far outweight the risks in this case ;)
Though maybe easy win-win solution would be to just convert these images to png and commit them like that, disallowing svg in trac from then on.
comment:12 Changed at 2013-06-16T00:55:23Z by zooko
- Description modified (diff)
#2004 was a duplicate of this.
Hmm. I think the syntax will work for local files, and we don't want to break that. Perhaps the trac can be configured to serve those files raw, but I don't know whether it deliberately avoids doing that as an XSS defence.