[%# This Source Code Form is subject to the terms of the Mozilla Public # License, v. 2.0. If a copy of the MPL was not distributed with this # file, You can obtain one at http://mozilla.org/MPL/2.0/. # # This Source Code Form is "Incompatible With Secondary Licenses", as # defined by the Mozilla Public License, v. 2.0. #%] [% title = "Attachments" desc = "Set up attachment options" %] [% param_descs = { allow_attachment_display => "If this option is on, users will be able to view attachments from" _ " their browser, if their browser supports the attachment's MIME type." _ " If this option is off, users are forced to download attachments," _ " even if the browser is able to display them." _ "
This is a security restriction for installations where untrusted" _ " users may upload attachments that could be potentially damaging if" _ " viewed directly in the browser.
" _ "It is highly recommended that you set the attachment_base" _ " parameter if you turn this parameter on.", attachment_base => "When the allow_attachment_display parameter is on, it is " _ " possible for a malicious attachment to steal your cookies or" _ " perform an attack on Bugzilla using your credentials." _ "
If you would like additional security on attachments to avoid" _ " this, set this parameter to an alternate URL for your Bugzilla" _ " that is not the same as urlbase or sslbase." _ " That is, a different domain name that resolves to this exact" _ " same Bugzilla installation.
" _ "Note that if you have set the" _ " cookiedomain" _" parameter, you should set attachment_base to use a" _ " domain that would not be matched by" _ " cookiedomain.
" _ "For added security, you can insert %bugid% into the URL," _ " which will be replaced with the ID of the current $terms.bug that" _ " the attachment is on, when you access an attachment. This will limit" _ " attachments to accessing only other attachments on the same" _ " ${terms.bug}. Remember, though, that all those possible domain names " _ " (such as 1234.your.domain.com) must point to this same" _ " Bugzilla instance.", allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ "in the database. If a file larger than this size is attached " _ "to ${terms.abug}, Bugzilla will look at the " _ "maxlocalattachment parameter " _ "to determine if the file can be stored locally on the web server. " _ "If the file size exceeds both limits, then the attachment is rejected. " _ "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ "locally on the web server. If set to a value lower than the " _ "maxattachmentsize parameter, " _ "attachments will never be kept on the local filesystem." } %]