[%# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # # This Source Code Form is "Incompatible With Secondary Licenses", as # defined by the Mozilla Public License, v. 2.0. #%] [% title = "Attachments" desc = "Set up attachment options" %] [% param_descs = { allow_attachment_display => "If this option is on, users will be able to view attachments from" _ " their browser, if their browser supports the attachment's MIME type." _ " If this option is off, users are forced to download attachments," _ " even if the browser is able to display them." _ "

This is a security restriction for installations where untrusted" _ " users may upload attachments that could be potentially damaging if" _ " viewed directly in the browser.

" _ "

It is highly recommended that you set the attachment_base" _ " parameter if you turn this parameter on.", attachment_base => "When the allow_attachment_display parameter is on, it is " _ " possible for a malicious attachment to steal your cookies or" _ " perform an attack on Bugzilla using your credentials." _ "

If you would like additional security on attachments to avoid" _ " this, set this parameter to an alternate URL for your Bugzilla" _ " that is not the same as urlbase or sslbase." _ " That is, a different domain name that resolves to this exact" _ " same Bugzilla installation.

" _ "

Note that if you have set the" _ " cookiedomain" _" parameter, you should set attachment_base to use a" _ " domain that would not be matched by" _ " cookiedomain.

" _ "

For added security, you can insert %bugid% into the URL," _ " which will be replaced with the ID of the current $terms.bug that" _ " the attachment is on, when you access an attachment. This will limit" _ " attachments to accessing only other attachments on the same" _ " ${terms.bug}. Remember, though, that all those possible domain names " _ " (such as 1234.your.domain.com) must point to this same" _ " Bugzilla instance.", allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ "in the database. If a file larger than this size is attached " _ "to ${terms.abug}, Bugzilla will look at the " _ "maxlocalattachment parameter " _ "to determine if the file can be stored locally on the web server. " _ "If the file size exceeds both limits, then the attachment is rejected. " _ "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ "locally on the web server. If set to a value lower than the " _ "maxattachmentsize parameter, " _ "attachments will never be kept on the local filesystem. " _ "If you want to store all attachments on disk rather than in the " _ "database, then set " _ "maxattachmentsize parameter to 0. ", xsendfile_header => "By default, attachments are served by the CGI script. " _ "If you enable filesystem file storage for large files using the " _ "maxlocalattachment parameter " _ "then you can have those files served directly by the webserver, which " _ "avoids copying them entirely into memory, and this may result in a " _ "performance improvement. To do this, configure your webserver appropriately " _ "and then set the correct header, as follows:" _ "


" _ "Please note that attachments stored in the database cannot be offloaded " _ "to apache/nginx/lighttpd and are always handled by the CGI script." } %]