|
|
|
|
|
|
by ken
2210 days ago
|
|
|
Not all of it. Any bug attachments which don't have previews are served from https://github.com directly, for example. Here, I uploaded that image from the other day that crashes some phones. I gzipped it so it wouldn't generate a preview, and attached it to a bug. When you click the "github.com" link, it downloads the file, and (at least with my web browser) uncompresses it and opens it with your default application. It's bit-for-bit the same as what I uploaded. https://github.com/kengruven/strukt-bugs/issues/40 I don't know if this is exploitable. I haven't spent any time trying to break GitHub. This is just something I happened to notice once. |
|
|
I don't know what that would mean in this type of scenario (phishing) either. I wonder what an html attachment would look like...