Details
-
Bug
-
Resolution: Fixed
-
Medium
-
9.4.3, 9.2.11, 9.5.1
-
None
-
1
-
Severity 2 - Major
-
Description
Problem
Bamboo allows customers to bypass security settings and permit inline content by setting the Allow artifacts to be embedded in Bamboo pages property under Security settings. This feature works well for "local" artifacts, but whenever an S3 Artifact handler is used, download links are always presented with a content-disposition=attachment URL, regardless of the file's MIME type. This metadata forces the browser to always download the content, instead of exposing it directly on the page.
Environment
- Bamboo DC
Steps to Reproduce
- Set Allow artifacts to be embedded in Bamboo pages as enabled or disabled, it doesn't matter
- Generate an artifact with a "txt", "html", or a "jpeg/png" image and store it using an S3 Artifact handler
- Locate the artifact, hover the mouse on the link and notice the value of the response-content-disposition property in the URL
- Click on the link
Expected Results
- In case Allow artifacts to be embedded in Bamboo pages is set and the object's MIME type starts with image, text, or is application/xml, the browser should render it directly on the page
Actual Results
All files are downloaded
Workaround
Temporarily use a browser plugin such as https://modheader.com to override the content-disposition value and set it to inline when connecting to the S3 bucket.