How to set maximum size, maximum number of attachments for web form and web interface?

Hello,

We were playing around with the default form.js and enabled attachments. This worked flawlessly.
However we could not find how we can limit the maximum size of the attachment. Is it a hardcoded limit?
Additionally we enabled support for multiple attachments through the form which seems to be supported by the Zammad backend (we could create tickets with multiple attachments via web form).
However we could not find what the maximum number of attachments for web forms is.
Is this handled somewhere in Zammad? Can this value be edited?

Best regards,
Nino

1 Like

This seems to be hardcoded (not sure).
This also impacts Telegram integrations.

Hello,

Thank you for your reply.
Looking through the repository it seems that in search_index.rb “attachment_max_size_in_mb” is generated by calling a getter function for “es_attachment_max_size_in_mb”. This can be set through console like explained here: https://docs.zammad.org/en/latest/admin-console.html#start-zammad-s-rails-console

However I could not find any information about the max number of attachments. Any idea where that might be?

Br,
Nino

Little update to my investigations.
A max number of attachment files can’t be set if I saw correctly in source.
But due to testing we found that es_attachment_max_size_in_mb is the actual maximum size for all attachments combined. So it is great that it can be limited that way.

However it is still possible for malicious users to upload thousands of small files as long as they stay under the max MB limit that is set.
It would be great if an option would be added to limit the maximum number of attachments as well and not only the size of all of them combined.
I assume the same issue applies not only to the ticket form but also replys in the web interface.

Br,
Nino

Thanks for you looking up that stuff!
I think that this is odd, as es_attachment_max_size_in_mb is set to 50MB on my instance and I can only send files via up to 20-25MB via Telegram.

Didn’t test that for article uploads via Web yet.

I’m aswell curious how to limit the maximum size for file uploads.

As far as I can tell, the mentioned setting “es_attachment_max_size_in_mb” is just a parameter for Elasticsearch to ignore big files while using the search function.

So this has nothing to do with an upload limit to prevent users flooding the system.

Edit:

Have a look at /opt/zammad/app/assets/javascripts/app/lib/base/html5Upload.js. There is a condition to prevent uploading files with size zero. You could add a condition for a max size (in bytes):

    processFiles: function (files) {
        console.log('Processing files: ' + files.length);
        var manager = this,
            len = files.length,
            file,
            upload,
            i;

        for (i = 0; i < len; i += 1) {
            file = files[i];
            if (file.size === 0) {
                alert('Files with files size zero cannot be uploaded or multiple file uploads are not supported by your browser');
                break;
            }
            if (file.size > 1000) {
                alert('Charburner: file exceeds max attachment size');
                break;
            }

            upload = new FileUpload(file);
            manager.uploadFile(upload);
        }
    },
2 Likes

This topic was automatically closed 120 days after the last reply. New replies are no longer allowed.