New and Improved 3.13 Beta. Highlights: Shareable filters and dashboards and lots of other goodies. Any feedback can be raised as JIRA issues in the JIRA project.
Issue Details (XML | Word | Printable)

Key: JRA-14575
Type: Bug Bug
Status: Resolved Resolved
Resolution: Fixed
Priority: Major Major
Assignee: Michael Tokar [Atlassian]
Reporter: Kay Nny Lee [Atlassian]
Votes: 1
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
JIRA

Screenshot link in the exported excel is redirecting to the security breach page

Created: 03/Mar/08 01:41 AM   Updated: 15/Apr/08 12:01 PM
Component/s: Plugins - Issue Navigator Views
Affects Version/s: 3.12.2
Fix Version/s: 3.12.3

Time Tracking:
Not Specified

File Attachments: None
Image Attachments:

1. excel-sample.JPG
(35 kB)
2. securitybreach.JPG
(54 kB)

Participants: Adam Saint-Prix, Dushan Hanuska [Atlassian], Kay Nny Lee [Atlassian] and Michael Tokar [Atlassian]
Since last comment: 19 weeks, 2 days ago
Resolution Date: 31/Mar/08 07:02 PM
Labels:


 Description  « Hide
The link of the screenshot in the exported excel spreadsheet will redirect to the security breach page of the JIRA website instead of redirecting to the link of the screenshot.

The steps of replications are:

  • Create a new issue
  • Then attach a screenshot to the newly created issue
  • Go to Find Issues and search for the above created issue
  • Then export it to the excel spreadsheet
  • Once you have export the above issue to the excel spreadsheet, open the Excel Spreadsheet
  • Look for the "Images" column
  • Click on the screenshot link

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 10/Mar/08 06:45 PM
Based on responses to a similar issue, I realize this will probably not be fixed anytime soon because of the amount of development work associated with fixing the problem, but it would be really great if it could be. I'm happy to be an external tester if this becomes part of a scheduled release to be fixed.

Thanks,

Adam


[ Permlink | « Hide ]
Dushan Hanuska [Atlassian] added a comment - 11/Mar/08 01:16 AM
Thanks Adam,

As you can see, this has been scheduled as one of the bugs to be fixed in a subsequent release for JIRA 3.12 if time allows. Please keep watching this issue in order to receive updates on it.

Kind regards,
Dushan


[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 11/Mar/08 11:48 AM
Thanks Dushan. I know getting this fixed will make our QA team (and I'm sure a lot of other folks who use JIRA) very happy.

Best,

Adam


[ Permlink | « Hide ]
Michael Tokar [Atlassian] added a comment - 28/Mar/08 02:28 AM - edited
Hi Adam,

I was able to reproduce your problem. As a solution, could you please ensure that when you log into JIRA, you have the Remember Me cookie enabled? I found that when I was opening the Excel view inside Internet Explorer, when I clicked the attachment link, it would load successfully if I had told Internet Explorer to remember my username.

A similar solution applies if you are opening the Excel document not inside Internet Explorer, or on someone else's computer. As long as they have previously logged into your JIRA instance with their default web browser and enabled the Remember Me cookie, when they click the link inside Excel it should open correctly.

Unfortunately, this issue is caused by core part of the Microsoft Office suite (not just Excel). For more information, please see this Microsoft KB article: http://support.microsoft.com/kb/899927

We intend to improve the current functionality of attachments such that if you are not logged in and try to view an attachment, it will allow you to log in and then view the attachment. Until we implement this, please use the above workaround.

Regards,
Michael Tokar [Atlassian]


[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 28/Mar/08 01:17 PM
Hi Michael,

We actually tried this previously (enabling the Remember Me check box) and this doesn't do anything to resolve the problem either. I tried using Firefox, Safari and IE 7 and I get the same error in all browsers with the cookie enabled. Don't know if browsers make a difference, doesn't sound like it.

Also, if I am already logged in, it still doesn't work.

I understand that this is a much bigger problem than it appears to be and appreciate that there is a plan to implement it at some point.

Thanks,

Adam Saint-Prix [Outspark]


[ Permlink | « Hide ]
Michael Tokar [Atlassian] added a comment - 30/Mar/08 06:47 PM
Hi Adam,

I'm interested to find out why the Remember Me cookie workaround does not do the trick for you. The browser actually does matter; when you click the link from within Excel, it will internally follow the link using any cookies available from Internet Explorer only. Thus, if you have set the cookie in IE, and IE is your default browser (the browser that opens when the link is clicked), it should work when you click the link from Excel. If your default browser is another browser, you still need to set the cookie in IE, as well as the other browser.

Does the Remember Me cookie functionality work for you if you are just browsing JIRA normally? For example, you browse to JIRA, log in and enable the cookie, then restart your browser (don't log out of JIRA) and then browse to JIRA again. Are you automatically logged in?

It would also be worth getting some request logging output from your instance. Are you using Standalone/Tomcat? If so, could you please make the following modifications to your server.xml:

  1. Add the RequestDumperValve configuration like this: 
    <Engine defaultHost="localhost" debug="0" name="Standalone">
      <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
      <Host debug="0" name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false">
         ...
      </Host>
</Engine>
  2. Restart JIRA
  3. Set the root (default) logging level to INFO - go to Logging and Profiling in the Admin section and change the Default setting to INFO.

Once you have done this, reproduce the problem by doing a search, exporting it to Excel view, and then clicking the link of the attachment. Post your JIRA log output here (in an attachment is probably best).

Thanks,
Michael Tokar [Atlassian]


[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 31/Mar/08 01:24 PM
Aha! Success. I think the problem is that most of us don't use IE as a default browser. Firefox is the preferred for most of our users. As a result, no one sets the cookie to "Remember Me" in Internet Explorer, only in Firefox.

So, I opened IE, set the cookie and logged in. I clicked on the link in the excel file and it worked. I will see if our other users have the same success and let you know.

One thing I noticed is once I set the cookie in IE the screen shot links only open in Internet Explorer, even if I have another browser set as the default. That's fine, except for cases where we have folks that don't use Internet Explorer at all and won't install it. I can let them know that the cookie relies on IE and won't work unless it is set in IE first. I think that is an acceptable workaround that should work for most people.

I'm waiting to hear back from our QA folks and whether or not this worked for them, but I appreciate your input. I did not need to go the logging output route or modify the server.xml file since this worked so well.

Thanks,

Adam Saint-Prix [Outspark]


[ Permlink | « Hide ]
Michael Tokar [Atlassian] added a comment - 31/Mar/08 07:01 PM
Hi Adam,

Good to hear that the workaround worked. I was able to reproduce the behaviour you described regarding links opening in IE instead of the default browser. However, given that this is only a workaround, and we will have a full fix for this issue in the next release of JIRA (3.12.3), I'm afraid we'll have to leave the investigation there.

I'll now be resolving this issue, but I will continue watching it if you have any more queries.

Thanks for reporting!
Michael Tokar [Atlassian]


[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 14/Apr/08 01:33 PM
Hi Michael,

I was just wondering if the "Remember Me" cookie in JIRA is browser specific (works in IE only) for all instances, regardless of whether or not, the user is trying to open a spreadsheet.

I understand that for Excel the links rely on cookies set in Internet Explorer in order for the user to be logged in automatically, does JIRA in general rely on a cookie being set in IE or is it only for the links to Word, Excel or other Microsoft products?

I saw a question in the forums that I thought might be related to the problem I was having, but didn't want to volunteer information that was incorrect.

Thanks,

Adam


[ Permlink | « Hide ]
Michael Tokar [Atlassian] added a comment - 14/Apr/08 11:19 PM
Hi Adam,

The cookie must be set per browser - generally, browsers do not share cookies. In the case of Microsoft Office products, I believe they do share cookies with Internet Explorer as they use the IE engine.

Regarding the question on the forums, I posted a reply to the person who asked about the encryption of the cookie. Was that the post you were referring to?

Cheers,
Michael


[ Permlink | « Hide ]
Adam Saint-Prix added a comment - 15/Apr/08 12:01 PM
I had a momentary lapse of reason there, of course cookies must be set per browser. We seem to have resolved this issue across the board

And yes, that was the question on the forums I was referring to, thanks for chiming in, hopefully that helps them out.

Thanks,

Adam
Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13_beta1-#328) - Bug/feature request - Atlassian news - Contact Administrators