Comments on: Trac ticket system susceptible to redirects http://spamhuntress.com/2006/09/07/trac-ticket-system-susceptible-to-redirects/ Just another WordPress weblog Tue, 02 Dec 2008 15:16:34 +0000 http://wordpress.org/?v=2.0.7 by: Christopher Lenz http://spamhuntress.com/2006/09/07/trac-ticket-system-susceptible-to-redirects/#comment-38660 Thu, 07 Sep 2006 15:01:25 +0000 http://spamhuntress.com/2006/09/07/trac-ticket-system-susceptible-to-redirects/#comment-38660 Trac has an option called "render_unsafe_content" that is disabled by default. If it is disabled, Trac will not render an attachment, but rather add a `Content-Disposition: attachment` header that forces browser to download the file instead of displaying it. That option was added in Trac 0.9.3. Thus a redirect in an attachment should not be working unless (a) aforementioned option is enabled in the configuration (which is only recommended for closed environments), or (b) it doesn't work correctly in some cases. I have not yet experienced the latter myself, so I think (a) is the issue here, which means it would boil down to a misconfiguration on the lighttpd site and other deployments of Trac. Trac has an option called “render_unsafe_content” that is disabled by default. If it is disabled, Trac will not render an attachment, but rather add a `Content-Disposition: attachment` header that forces browser to download the file instead of displaying it. That option was added in Trac 0.9.3.

Thus a redirect in an attachment should not be working unless (a) aforementioned option is enabled in the configuration (which is only recommended for closed environments), or (b) it doesn’t work correctly in some cases. I have not yet experienced the latter myself, so I think (a) is the issue here, which means it would boil down to a misconfiguration on the lighttpd site and other deployments of Trac.

]]>