Last modified: 2014-08-31 00:53:03 UTC

Wikimedia Bugzilla is closed!

Wikimedia migrated from Bugzilla to Phabricator. Bug reports are handled in Wikimedia Phabricator.
This static website is read-only and for historical purposes. It is not possible to log in and except for displaying bug reports and their history, links might be broken. See T37715, the corresponding Phabricator task for complete and up-to-date bug report information.
First Last Prev Next    This bug is not in your last search results.
Bug 35715 - Attachments not shown inline but need downloading: Change "AttachmentDownloadType" setting in configuration
Attachments not shown inline but need downloading: Change "AttachmentDownload...
Status: NEW
Product: Wikimedia
Classification: Unclassified
OTRS (Other open bugs)
unspecified
All All
: Low normal (vote)
: ---
Assigned To: Nobody - You can work on this!
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-04-05 11:05 UTC by Thehelpfulone
Modified: 2014-08-31 00:53 UTC (History)
6 users (show)

See Also:
Web browser: ---
Mobile Platform: ---
Assignee Huggle Beta Tester: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Thehelpfulone 2012-04-05 11:05:11 UTC 
This is a migration from <https://otrs-wiki.wikimedia.org/wiki/OTRS_technical_challenges>.

Attached images are sent with a content-disposition header so that they cannot be viewed in the browser, only downloaded. It is a slight inconvenience only, but also an easy fix, I presume.


----

Looking around, this could be because http://www.otrs.com/open-source/community-news/security-advisories/security-advisory-2005-01/ of the security vulnerability way back in 2005. However, as we are on a more recent version, this shouldn't be problem.

I believe the configuration needs to be changed from:
   AttachmentDownloadType is set to "attachment". to  (AttachmentDownloadType = "inline") (the default configuration).

This could be something in the admin interface?
Comment 1 Andre Klapper 2013-02-21 16:10:42 UTC 
Yes, seems to be a configuration issue, according to

http://doc.otrs.org/2.4/en/html/a2982.html  B.1.25.14. AttachmentDownloadType :

"Allows choosing between showing the attachments of a ticket in the browser (inline) or just make them downloadable (attachment)."
Comment 2 Chris Steipp 2013-02-21 20:38:32 UTC 
Unfortunately, this is still a bit of a risk. Most browsers still do some content sniffing, so what OTRS did with the patch is still the right thing to do. MediaWiki itself has extensive filtering against these types of attacks, by not allowing files that would trigger these attacks to be uploaded. The alternative is to either filter the incoming attachments, or serve them from an alternate domain name.
Comment 3 Andre Klapper 2013-02-22 10:08:59 UTC 
Thanks for explaining. Decreasing priority again for security reasons, unfortunately.
Note You need to log in before you can comment on or make changes to this bug.
First Last Prev Next    This bug is not in your last search results.

Navigation
Links