github
html_url | issue_url | id | node_id | user | created_at | updated_at | author_association | body | reactions | issue | performed_via_github_app |
---|---|---|---|---|---|---|---|---|---|---|---|
https://github.com/simonw/datasette/issues/1036#issuecomment-713899530 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713899530 | MDEyOklzc3VlQ29tbWVudDcxMzg5OTUzMA== | 9599 | 2020-10-21T21:55:00Z | 2020-10-21T21:55:00Z | OWNER | This code needs these permission checks: https://github.com/simonw/datasette/blob/bf82b3d6a605c9ddadd5fb739249dfe6defaf635/datasette/views/table.py#L911-L913 | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713821656 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713821656 | MDEyOklzc3VlQ29tbWVudDcxMzgyMTY1Ng== | 9599 | 2020-10-21T19:22:45Z | 2020-10-21T19:41:48Z | OWNER | So for https://latest.datasette.io/fixtures/binary_data the BLOB download URLs would be: `https://latest.datasette.io/fixtures/-/blob/binary_data/1/data.blob` - that last bit after the primary key is to indicate the `data` column With these headers: - `Content-Disposition: attachment; filename="binary_data-1-data.blob"` - `X-Content-Type-Options: nosniff` - `Content-Type: application/binary` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713830842 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713830842 | MDEyOklzc3VlQ29tbWVudDcxMzgzMDg0Mg== | 9599 | 2020-10-21T19:41:20Z | 2020-10-21T19:41:20Z | OWNER | Another useful demo database: https://datasette-render-images-demo.datasette.io/favicons/favicons - see https://datasette-render-images-demo.datasette.io/favicons/favicons.csv | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713829629 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713829629 | MDEyOklzc3VlQ29tbWVudDcxMzgyOTYyOQ== | 9599 | 2020-10-21T19:38:43Z | 2020-10-21T19:38:43Z | OWNER | Should this work just for BLOB columns, or should it work for other columns too? For the moment I'm going to restrict it to BLOBs, since data from other columns is available through the UI whereas BLOB columns are not. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713818817 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713818817 | MDEyOklzc3VlQ29tbWVudDcxMzgxODgxNw== | 9599 | 2020-10-21T19:17:01Z | 2020-10-21T19:17:01Z | OWNER | Actually I like `.blob` | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713818178 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713818178 | MDEyOklzc3VlQ29tbWVudDcxMzgxODE3OA== | 9599 | 2020-10-21T19:15:38Z | 2020-10-21T19:16:34Z | OWNER | What should the suggested filename be? I think something that includes the table name, primary key and the name of the column would work. How about a file extension? I guess `.binary`, then let the user rename it? Or `.raw`. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713278349 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713278349 | MDEyOklzc3VlQ29tbWVudDcxMzI3ODM0OQ== | 9599 | 2020-10-21T03:42:29Z | 2020-10-21T03:42:29Z | OWNER | Possible URL for this: `/db/table/-/blob/primary-keys` - this would use the `/db/table/-/` namespace proposed in #296. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713226726 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713226726 | MDEyOklzc3VlQ29tbWVudDcxMzIyNjcyNg== | 9599 | 2020-10-21T01:04:25Z | 2020-10-21T01:04:25Z | OWNER | Extra security idea: a `blob_download_host` setting which can be used to indicate a host that should be used for downloads - for example `datasettestatic.com`. If this setting is populated then binary downloads are served from paths on that host only, and no other Datasette URLs from that host will be served. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713186189 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713186189 | MDEyOklzc3VlQ29tbWVudDcxMzE4NjE4OQ== | 9599 | 2020-10-20T22:56:33Z | 2020-10-20T22:56:33Z | OWNER | I think this plus the binary-CSV stuff in #1034 will justify a dedicated section of the documentation to talk about how Datasette handles binary BLOB columns. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713185871 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713185871 | MDEyOklzc3VlQ29tbWVudDcxMzE4NTg3MQ== | 9599 | 2020-10-20T22:55:36Z | 2020-10-20T22:55:36Z | OWNER | I can also use a `Content-Disposition` header to force a download. I'm reasonably confident that the combination of `Content-Disposition` and `X-Content-Type-Options: nosniff` and `application/binary` will let me allow users to download the contents of arbitrary BLOB columns without any XSS risk. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713185173 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713185173 | MDEyOklzc3VlQ29tbWVudDcxMzE4NTE3Mw== | 9599 | 2020-10-20T22:53:41Z | 2020-10-20T22:53:41Z | OWNER | https://security.stackexchange.com/questions/12896/does-x-content-type-options-really-prevent-content-sniffing-attacks says: > In Tangled Web Michal Zalewski says: > > > Refrain from using Content-Type: application/octet-stream and use application/binary instead, especially for unknown document types. Refrain from returning Content-Type: text/plain. > > > > For example, any code-hosting platform must exercise caution when returning executables or source archives as application/octet-stream, because there is a risk they may be misinterpreted as HTML and displayed inline. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713184374 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713184374 | MDEyOklzc3VlQ29tbWVudDcxMzE4NDM3NA== | 9599 | 2020-10-20T22:51:22Z | 2020-10-20T22:51:22Z | OWNER | From https://hackerone.com/reports/126197: > archive.uber.com mirrors pypi. When downloading `.tar.gz` files from archive.uber.com, the MIME type is `application/octet-stream`. Injecting `<html><script>alert(0)</script>` into the start of the `.tar.gz` causes an XSS in Internet Explorer due to MIME sniffing. So you do have to be careful not to open accidental XSS holes with `application/octet-stream` thanks to (presumably older) versions of IE. From that thread it looks like the solution is to add a `X-Content-Type-Options: nosniff` header. | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 | |
https://github.com/simonw/datasette/issues/1036#issuecomment-713183306 | https://api.github.com/repos/simonw/datasette/issues/1036 | 713183306 | MDEyOklzc3VlQ29tbWVudDcxMzE4MzMwNg== | 9599 | 2020-10-20T22:48:10Z | 2020-10-20T22:48:10Z | OWNER | Twitter thread: https://twitter.com/dancow/status/1318681053347840005 | { "total_count": 0, "+1": 0, "-1": 0, "laugh": 0, "hooray": 0, "confused": 0, "heart": 0, "rocket": 0, "eyes": 0 } |
725996507 |