Page MenuHomePhabricator

Attachments not shown inline but need downloading: Change "AttachmentDownloadType" setting in configuration
Open, LowPublic


Author: Thehelpfulonewiki

This is a migration from

Attached images are sent with a content-disposition header so that they cannot be viewed in the browser, only downloaded. It is a slight inconvenience only, but also an easy fix, I presume.

Looking around, this could be because of the security vulnerability way back in 2005. However, as we are on a more recent version, this shouldn't be problem.

I believe the configuration needs to be changed from:

AttachmentDownloadType is set to "attachment". to  (AttachmentDownloadType = "inline") (the default configuration).

This could be something in the admin interface?

Version: unspecified
Severity: normal



Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:11 AM
bzimport added a project: OTRS.
bzimport set Reference to bz35715.
bzimport added a subscriber: Unknown Object (MLST).

Yes, seems to be a configuration issue, according to B.1.25.14. AttachmentDownloadType :

"Allows choosing between showing the attachments of a ticket in the browser (inline) or just make them downloadable (attachment)."

Unfortunately, this is still a bit of a risk. Most browsers still do some content sniffing, so what OTRS did with the patch is still the right thing to do. MediaWiki itself has extensive filtering against these types of attacks, by not allowing files that would trigger these attacks to be uploaded. The alternative is to either filter the incoming attachments, or serve them from an alternate domain name.

Thanks for explaining. Decreasing priority again for security reasons, unfortunately.

Steinsplitter moved this task from Incoming to Backlog on the OTRS board.Mar 12 2015, 12:38 PM
Meno25 removed a subscriber: Meno25.Jan 17 2017, 3:41 PM
Restricted Application added subscribers: TerraCodes, Rjd0060. · View Herald TranscriptJan 17 2017, 3:41 PM

I would suggest to close this, since it won't be done for security reasons and it is almost certain that this will not be corrected/changed in the future.