diff --git a/file.php b/file.php
index fda45974ed942b2e342a9a1efc8c0eaa06ce99c1..d62d588eb5942b0c0c1f5639ba22cf511f3a8884 100644
--- a/file.php
+++ b/file.php
@@ -26,6 +26,21 @@ if (!$_GET['key']
Http::response(404, __('Unknown or invalid file'));
}
+// Enforce security settings
+if ($cfg->isAuthRequiredForFiles() && !$thisclient) {
+ if (!($U = StaffAuthenticationBackend::getUser())) {
+ // Try and determine if a staff is viewing this page
+ if (strpos($_SERVER['HTTP_REFERRER'], ROOT_PATH . 'scp/') !== false) {
+ $_SESSION['_staff']['auth']['dest'] =
+ '/' . ltrim($_SERVER['REQUEST_URI'], '/');
+ Http::redirect(ROOT_PATH.'scp/login.php');
+ }
+ else {
+ require 'secure.inc.php';
+ }
+ }
+}
+
// Validate session access hash - we want to make sure the link is FRESH!
// and the user has access to the parent ticket!!
if ($file->verifySignature($_GET['signature'], $_GET['expires'])) {
diff --git a/include/class.config.php b/include/class.config.php
index 165ad08463df42accd6f41f24090f5be5944d9d7..190e58f683c5699a30a7a8090b7e12eb42865a8c 100644
--- a/include/class.config.php
+++ b/include/class.config.php
@@ -207,6 +207,7 @@ class OsticketConfig extends Config {
'agent_avatar' => 'gravatar.mm',
'ticket_lock' => 2, // Lock on activity
'max_open_tickets' => 0,
+ 'files_req_auth' => 1,
);
function __construct($section=null) {
@@ -1150,6 +1151,7 @@ class OsticketConfig extends Config {
'autolock_minutes' => $vars['autolock_minutes'],
'enable_avatars' => isset($vars['enable_avatars']) ? 1 : 0,
'enable_richtext' => isset($vars['enable_richtext']) ? 1 : 0,
+ 'files_req_auth' => isset($vars['files_req_auth']) ? 1 : 0,
));
}
@@ -1393,6 +1395,10 @@ class OsticketConfig extends Config {
return ($id) ? AttachmentFile::lookup((int) $id) : null;
}
+ function isAuthRequiredForFiles() {
+ return $this->get('files_req_auth');
+ }
+
function updatePagesSettings($vars, &$errors) {
global $ost;
diff --git a/include/i18n/en_US/help/tips/settings.system.yaml b/include/i18n/en_US/help/tips/settings.system.yaml
index 53ed8c65e029731ba2ec0f9857de8894d479cd53..28b069775ba6e2a8b8eafc4c93ae94fc96a002e6 100644
--- a/include/i18n/en_US/help/tips/settings.system.yaml
+++ b/include/i18n/en_US/help/tips/settings.system.yaml
@@ -142,7 +142,7 @@ default_storage_bk:
title: File Storage Backend
content: >
Choose how attachments are stored.
- <br<br>
+ <br><br>
Additional storage backends can be added by installing storage plugins
max_file_size:
@@ -155,3 +155,14 @@ max_file_size:
links:
- title: PHP ini settings
href: "http://php.net/manual/en/ini.core.php#ini.upload-max-filesize"
+
+files_req_auth:
+ title: Require Login
+ content: >
+ Enable this setting to forbid serving attachments to unauthenticated
+ users. That is, users must sign into the system (both end users and
+ agents), in order to view attachments.
+ <br><br>
+ From a security perspective, be aware that the user's browser may
+ retain previously-viewed files in its cache. Furthermore, all file
+ links on your helpdesk automatically expire after about 24 hours.
diff --git a/include/staff/settings-system.inc.php b/include/staff/settings-system.inc.php
index 6560e7c2074266aa4d69bb47c421cc9594759f42..6d03642201a509181a3d623691e88806298213ae 100644
--- a/include/staff/settings-system.inc.php
+++ b/include/staff/settings-system.inc.php
@@ -359,6 +359,16 @@ $gmtime = Misc::gmtime();
<div class="error"><?php echo $errors['max_file_size']; ?></div>
</td>
</tr>
+ <tr>
+ <td width="180"><?php echo __('Login required');?>:</td>
+ <td>
+ <input type="checkbox" name="files_req_auth" <?php
+ if ($config['files_req_auth']) echo 'checked="checked"';
+ ?> />
+ <?php echo __('Require login to view any attachments'); ?>
+ <i class="help-tip icon-question-sign" href="#files_req_auth"></i>
+ </td>
+ </tr>
</tbody>
</table>
<p style="text-align:center;">