1[%# This Source Code Form is subject to the terms of the Mozilla Public 2 # License, v. 2.0. If a copy of the MPL was not distributed with this 3 # file, You can obtain one at http://mozilla.org/MPL/2.0/. 4 # 5 # This Source Code Form is "Incompatible With Secondary Licenses", as 6 # defined by the Mozilla Public License, v. 2.0. 7 #%] 8[% 9 title = "Attachments" 10 desc = "Set up attachment options" 11%] 12 13[% param_descs = { 14 allow_attachment_display => 15 "If this option is on, users will be able to view attachments from" 16 _ " their browser, if their browser supports the attachment's MIME type." 17 _ " If this option is off, users are forced to download attachments," 18 _ " even if the browser is able to display them." 19 _ "<p>This is a security restriction for installations where untrusted" 20 _ " users may upload attachments that could be potentially damaging if" 21 _ " viewed directly in the browser.</p>" 22 _ "<p>It is highly recommended that you set the <tt>attachment_base</tt>" 23 _ " parameter if you turn this parameter on.", 24 25 attachment_base => 26 "When the <tt>allow_attachment_display</tt> parameter is on, it is " 27 _ " possible for a malicious attachment to steal your cookies or" 28 _ " perform an attack on $terms.Bugzilla using your credentials." 29 _ "<p>If you would like additional security on attachments to avoid" 30 _ " this, set this parameter to an alternate URL for your $terms.Bugzilla" 31 _ " that is not the same as <tt>urlbase</tt> or <tt>sslbase</tt>." 32 _ " That is, a different domain name that resolves to this exact" 33 _ " same $terms.Bugzilla installation.</p>" 34 _ "<p>Note that if you have set the" 35 _ " <a href=\"editparams.cgi?section=advanced#cookiedomain_desc\"><tt>cookiedomain</tt>" 36 _" parameter</a>, you should set <tt>attachment_base</tt> to use a" 37 _ " domain that would <em>not</em> be matched by" 38 _ " <tt>cookiedomain</tt>.</p>" 39 _ "<p>For added security, you can insert <tt>%bugid%</tt> into the URL," 40 _ " which will be replaced with the ID of the current $terms.bug that" 41 _ " the attachment is on, when you access an attachment. This will limit" 42 _ " attachments to accessing only other attachments on the same" 43 _ " ${terms.bug}. Remember, though, that all those possible domain names " 44 _ " (such as <tt>1234.your.domain.com</tt>) must point to this same" 45 _ " $terms.Bugzilla instance.", 46 47 allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ 48 "the content of attachments.", 49 50 maxattachmentsize => "The maximum size (in kilobytes) of attachments to be stored " _ 51 "in the database. If a file larger than this size is attached " _ 52 "to ${terms.abug}, $terms.Bugzilla will look at the " _ 53 "<a href=\"#maxlocalattachment\"><tt>maxlocalattachment</tt> parameter</a> " _ 54 "to determine if the file can be stored locally on the web server. " _ 55 "If the file size exceeds both limits, then the attachment is rejected. " _ 56 "Settings both parameters to 0 will prevent attaching files to ${terms.bugs}.", 57 58 maxlocalattachment => "The maximum size (in megabytes) of attachments to be stored " _ 59 "locally on the web server. If set to a value lower than the " _ 60 "<a href=\"#maxattachmentsize\"><tt>maxattachmentsize</tt> parameter</a>, " _ 61 "attachments will never be kept on the local filesystem." } 62%] 63