A customer is able to load files of unlimited size via the web interface. this way a customer can paralyze the database or the file system.
Besides the security considerations, it would also be a great feature in general.
1 Like
Beside the -theoretically- unlimited upload sizes of attachments within the webinterface, why not limit that on your webserver that’s in front of Zammad?
Thank you. We are using apache and tried to set LimitRequestBody, which does not work. Maybe a problem with proxies [1].
So we tried mod_security, which is suggested in [2]. this technically works (status code 413), but then the upload in the user interface stucks at 100 percent, maybe the same issue as in [3].
So we wonder if there is a simple setting in zammad like the email attachement limit.
[1] http://mail-archives.apache.org/mod_mbox/httpd-users/201102.mbox/<1ad1dd9c-7c1b-4c3f-8585-f41a1845edc9@iris>
[2] https://serverfault.com/questions/591701/how-to-limit-size-of-uploaded-file-with-limitrequestbody-and-proxypass
[3] https://github.com/zammad/zammad/issues/2477
We tried mod_security, but then the web form doesn’t work anymore and the backend doesn’t work either (nothing can be saved). Since we don’t want to investigate more time to learn mod_security, we prefer an option in zammad.
This topic was automatically closed after 416 days. New replies are no longer allowed.