1[%# This Source Code Form is subject to the terms of the Mozilla Public
2  # License, v. 2.0. If a copy of the MPL was not distributed with this
3  # file, You can obtain one at http://mozilla.org/MPL/2.0/.
4  #
5  # This Source Code Form is "Incompatible With Secondary Licenses", as
6  # defined by the Mozilla Public License, v. 2.0.
7  #%]
8[%
9   title = "Attachments"
10   desc = "Set up attachment options"
11%]
12
13[% param_descs = {
14  allow_attachment_display =>
15    "If this option is on, users will be able to view attachments from"
16    _ " their browser, if their browser supports the attachment's MIME type."
17    _ " If this option is off, users are forced to download attachments,"
18    _ " even if the browser is able to display them."
19    _ "<p>This is a security restriction for installations where untrusted"
20    _ " users may upload attachments that could be potentially damaging if"
21    _ " viewed directly in the browser.</p>"
22    _ "<p>It is highly recommended that you set the <tt>attachment_base</tt>"
23    _ " parameter if you turn this parameter on.",
24
25  attachment_base =>
26    "When the <tt>allow_attachment_display</tt> parameter is on, it is "
27    _ " possible for a malicious attachment to steal your cookies or"
28    _ " perform an attack on $terms.Bugzilla using your credentials."
29    _ "<p>If you would like additional security on attachments to avoid"
30    _ " this, set this parameter to an alternate URL for your $terms.Bugzilla"
31    _ " that is not the same as <tt>urlbase</tt> or <tt>sslbase</tt>."
32    _ " That is, a different domain name that resolves to this exact"
33    _ " same $terms.Bugzilla installation.</p>"
34    _ "<p>Note that if you have set the"
35    _ " <a href=\"editparams.cgi?section=advanced#cookiedomain_desc\"><tt>cookiedomain</tt>"
36    _" parameter</a>, you should set <tt>attachment_base</tt> to use a"
37    _ " domain that would <em>not</em> be matched by"
38    _ " <tt>cookiedomain</tt>.</p>"
39    _ "<p>For added security, you can insert <tt>%bugid%</tt> into the URL,"
40    _ " which will be replaced with the ID of the current $terms.bug that"
41    _ " the attachment is on, when you access an attachment. This will limit"
42    _ " attachments to accessing only other attachments on the same"
43    _ " ${terms.bug}. Remember, though, that all those possible domain names "
44    _ " (such as <tt>1234.your.domain.com</tt>) must point to this same"
45    _ " $terms.Bugzilla instance.",
46
47  allow_attachment_deletion => "If this option is on, administrators will be able to delete " _
48                               "the content of attachments.",
49
50  maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _
51                       "in the database. If a file larger than this size is attached " _
52                       "to ${terms.abug}, $terms.Bugzilla will look at the " _
53                       "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _
54                       "to determine if the file can be stored locally on the web server. " _
55                       "If the file size exceeds both limits, then the attachment is rejected. " _
56                       "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.",
57
58  maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _
59                        "locally on the web server. If set to a value lower than the " _
60                        "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _
61                        "attachments will never be kept on the local filesystem." }
62%]
63