Page MenuHomePhabricator
Create Task
Maniphest T37715

Attachments not shown inline but need downloading: Change "AttachmentDownloadType" setting in configuration
Closed, ResolvedPublic
Actions

Description

Author: Thehelpfulonewiki

Description:
This is a migration from https://otrs-wiki.wikimedia.org/wiki/OTRS_technical_challenges.

Attached images are sent with a content-disposition header so that they cannot be viewed in the browser, only downloaded. It is a slight inconvenience only, but also an easy fix, I presume.

Looking around, this could be because http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2005-01/ of the security vulnerability way back in 2005. However, as we are on a more recent version, this shouldn't be problem.

I believe the configuration needs to be changed from:

AttachmentDownloadType is set to "attachment". to  (AttachmentDownloadType = "inline") (the default configuration).

This could be something in the admin interface?

Version: unspecified
Severity: normal

Details

Reference
bz35715

Event Timeline

bzimport raised the priority of this task from to Low.Nov 22 2014, 12:11 AM
bzimport added a project: Znuny.
bzimport set Reference to bz35715.
bzimport added a subscriber: Unknown Object (MLST).
bzimport created this task.Apr 5 2012, 11:05 AM
Aklapper added a comment.Feb 21 2013, 4:10 PM

Yes, seems to be a configuration issue, according to

http://doc.otrs.org/2.4/en/html/a2982.html B.1.25.14. AttachmentDownloadType :

"Allows choosing between showing the attachments of a ticket in the browser (inline) or just make them downloadable (attachment)."

csteipp added a comment.Feb 21 2013, 8:38 PM

Unfortunately, this is still a bit of a risk. Most browsers still do some content sniffing, so what OTRS did with the patch is still the right thing to do. MediaWiki itself has extensive filtering against these types of attacks, by not allowing files that would trigger these attacks to be uploaded. The alternative is to either filter the incoming attachments, or serve them from an alternate domain name.

Aklapper added a comment.Feb 22 2013, 10:08 AM

Thanks for explaining. Decreasing priority again for security reasons, unfortunately.

Steinsplitter moved this task from Incoming to Backlog on the Znuny board.Mar 12 2015, 12:38 PM
Meno25 unsubscribed.Jan 17 2017, 3:41 PM
Restricted Application added subscribers: TerraCodes, Rjd0060. · View Herald TranscriptJan 17 2017, 3:41 PM
OldUser02 subscribed.Feb 22 2018, 9:56 AM

I would suggest to close this, since it won't be done for security reasons and it is almost certain that this will not be corrected/changed in the future.

OldUser01 subscribed.Feb 1 2020, 1:10 PM
LSobanski subscribed.Mar 15 2023, 3:55 PM

Given the age of this request and the recent comments, I'll resolve this task. Please reopen it if you think this still needs to be addressed.

LSobanski closed this task as Resolved.Mar 15 2023, 3:55 PM
LSobanski claimed this task.
Content licensed under Creative Commons Attribution-ShareAlike (CC BY-SA) 4.0 unless otherwise noted; code licensed under GNU General Public License (GPL) 2.0 or later and other open source licenses. By using this site, you agree to the Terms of Use, Privacy Policy, and Code of Conduct. · Wikimedia Foundation · Privacy Policy · Code of Conduct · Terms of Use · Disclaimer · CC-BY-SA · GPL · Credits