Hi,
after the update from 1.4.7 to 1.4.8 attached images won't open 'inline' in the browser (in a new tab/windows). Now when you click on a thumbnail you will be asked to download the image.
This can be reproduced here on myboard.net also.
(2009-06-26, 05:38 AM)Ryan Gordon Wrote: [ -> ]One Medium XSS vulnerabilities fixed in Attachments - This vulnerability was reported by frostschutz.
Please note that this patch will remove the ability to open some types of attachments directly in your browser (e.g. PDF), and will instead ask you to download them.
I sent Ryan Gordon some PMs, he'll probably kill me when he reads them later.
This will get marked as bogus. I saw this in the change section. Sort of a dissappointment and I have to assume this was done to heighten security but it does stink.
This is not a bugfix, but the workaround I'm currently using. Use at your own risk.
I viewed your changes. Looks reasonable but why have PDF display inline?
Most people use Acrobat these days to read PDF embedded into the browser.
It's just a dirty workaround. A good solution requires more work.
I've applied frostschutz's functionality improvement to the MyBB 1.4.8 download and the MyBB Changed File package. I also updated the security patch instructions itself. The new patch just provides some more convenient abilities. The old security patch works just as fine and is secure so there is no need to rush to apply the fix, so long as you have the old one already.