[JRASERVER-14575] Screenshot link in the exported excel is redirecting to the security breach page Created: 03/Mar/2008  Updated: 16/Oct/2018  Resolved: 01/Apr/2008

Status: Closed
Project: JIRA Server (including JIRA Core)
Component/s: Issue Navigation & Search - Export
Affects Version/s: 3.12.2
Fix Version/s: 3.12.3

Type: Bug Priority: Medium
Reporter: Kay Nny Lee [Atlassian] Assignee: Michael Tokar
Resolution: Fixed Votes: 1
Labels: affects-server
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Attachments: JPEG File excel-sample.JPG     JPEG File securitybreach.JPG    
Issue Links:
is related to JRACLOUD-65661 JIRA bring users to login page when a... Needs Verification


The link of the screenshot in the exported excel spreadsheet will redirect to the security breach page of the JIRA website instead of redirecting to the link of the screenshot.

The steps of replications are:

  • Create a new issue
  • Then attach a screenshot to the newly created issue
  • Go to Find Issues and search for the above created issue
  • Then export it to the excel spreadsheet
  • Once you have export the above issue to the excel spreadsheet, open the Excel Spreadsheet
  • Look for the "Images" column
  • Click on the screenshot link

Comment by Adam Saint-Prix [ 10/Mar/2008 ]

Based on responses to a similar issue, I realize this will probably not be fixed anytime soon because of the amount of development work associated with fixing the problem, but it would be really great if it could be. I'm happy to be an external tester if this becomes part of a scheduled release to be fixed.



Comment by Dushan Hanuska [Atlassian] [ 11/Mar/2008 ]

Thanks Adam,

As you can see, this has been scheduled as one of the bugs to be fixed in a subsequent release for JIRA 3.12 if time allows. Please keep watching this issue in order to receive updates on it.

Kind regards,

Comment by Adam Saint-Prix [ 11/Mar/2008 ]

Thanks Dushan. I know getting this fixed will make our QA team (and I'm sure a lot of other folks who use JIRA) very happy.



Comment by Michael Tokar [ 28/Mar/2008 ]

Hi Adam,

I was able to reproduce your problem. As a solution, could you please ensure that when you log into JIRA, you have the Remember Me cookie enabled? I found that when I was opening the Excel view inside Internet Explorer, when I clicked the attachment link, it would load successfully if I had told Internet Explorer to remember my username.

A similar solution applies if you are opening the Excel document not inside Internet Explorer, or on someone else's computer. As long as they have previously logged into your JIRA instance with their default web browser and enabled the Remember Me cookie, when they click the link inside Excel it should open correctly.

Unfortunately, this issue is caused by core part of the Microsoft Office suite (not just Excel). For more information, please see this Microsoft KB article: http://support.microsoft.com/kb/899927

We intend to improve the current functionality of attachments such that if you are not logged in and try to view an attachment, it will allow you to log in and then view the attachment. Until we implement this, please use the above workaround.

Michael Tokar [Atlassian]

Comment by Adam Saint-Prix [ 28/Mar/2008 ]

Hi Michael,

We actually tried this previously (enabling the Remember Me check box) and this doesn't do anything to resolve the problem either. I tried using Firefox, Safari and IE 7 and I get the same error in all browsers with the cookie enabled. Don't know if browsers make a difference, doesn't sound like it.

Also, if I am already logged in, it still doesn't work.

I understand that this is a much bigger problem than it appears to be and appreciate that there is a plan to implement it at some point.


Adam Saint-Prix [Outspark]

Comment by Michael Tokar [ 30/Mar/2008 ]

Hi Adam,

I'm interested to find out why the Remember Me cookie workaround does not do the trick for you. The browser actually does matter; when you click the link from within Excel, it will internally follow the link using any cookies available from Internet Explorer only. Thus, if you have set the cookie in IE, and IE is your default browser (the browser that opens when the link is clicked), it should work when you click the link from Excel. If your default browser is another browser, you still need to set the cookie in IE, as well as the other browser.

Does the Remember Me cookie functionality work for you if you are just browsing JIRA normally? For example, you browse to JIRA, log in and enable the cookie, then restart your browser (don't log out of JIRA) and then browse to JIRA again. Are you automatically logged in?

It would also be worth getting some request logging output from your instance. Are you using Standalone/Tomcat? If so, could you please make the following modifications to your server.xml:

  1. Add the RequestDumperValve configuration like this:
    <Engine defaultHost="localhost" debug="0" name="Standalone">
          <Valve className="org.apache.catalina.valves.RequestDumperValve"/>
          <Host debug="0" name="localhost" appBase="webapps" unpackWARs="true" autoDeploy="false">
  2. Restart JIRA
  3. Set the root (default) logging level to INFO - go to Logging and Profiling in the Admin section and change the Default setting to INFO.

Once you have done this, reproduce the problem by doing a search, exporting it to Excel view, and then clicking the link of the attachment. Post your JIRA log output here (in an attachment is probably best).

Michael Tokar [Atlassian]

Comment by Adam Saint-Prix [ 31/Mar/2008 ]

Aha! Success. I think the problem is that most of us don't use IE as a default browser. Firefox is the preferred for most of our users. As a result, no one sets the cookie to "Remember Me" in Internet Explorer, only in Firefox.

So, I opened IE, set the cookie and logged in. I clicked on the link in the excel file and it worked. I will see if our other users have the same success and let you know.

One thing I noticed is once I set the cookie in IE the screen shot links only open in Internet Explorer, even if I have another browser set as the default. That's fine, except for cases where we have folks that don't use Internet Explorer at all and won't install it. I can let them know that the cookie relies on IE and won't work unless it is set in IE first. I think that is an acceptable workaround that should work for most people.

I'm waiting to hear back from our QA folks and whether or not this worked for them, but I appreciate your input. I did not need to go the logging output route or modify the server.xml file since this worked so well.


Adam Saint-Prix [Outspark]

Comment by Michael Tokar [ 01/Apr/2008 ]

Hi Adam,

Good to hear that the workaround worked. I was able to reproduce the behaviour you described regarding links opening in IE instead of the default browser. However, given that this is only a workaround, and we will have a full fix for this issue in the next release of JIRA (3.12.3), I'm afraid we'll have to leave the investigation there.

I'll now be resolving this issue, but I will continue watching it if you have any more queries.

Thanks for reporting!
Michael Tokar [Atlassian]

Comment by Adam Saint-Prix [ 14/Apr/2008 ]

Hi Michael,

I was just wondering if the "Remember Me" cookie in JIRA is browser specific (works in IE only) for all instances, regardless of whether or not, the user is trying to open a spreadsheet.

I understand that for Excel the links rely on cookies set in Internet Explorer in order for the user to be logged in automatically, does JIRA in general rely on a cookie being set in IE or is it only for the links to Word, Excel or other Microsoft products?

I saw a question in the forums that I thought might be related to the problem I was having, but didn't want to volunteer information that was incorrect.



Comment by Michael Tokar [ 15/Apr/2008 ]

Hi Adam,

The cookie must be set per browser - generally, browsers do not share cookies. In the case of Microsoft Office products, I believe they do share cookies with Internet Explorer as they use the IE engine.

Regarding the question on the forums, I posted a reply to the person who asked about the encryption of the cookie. Was that the post you were referring to?


Comment by Adam Saint-Prix [ 15/Apr/2008 ]

I had a momentary lapse of reason there, of course cookies must be set per browser. We seem to have resolved this issue across the board

And yes, that was the question on the forums I was referring to, thanks for chiming in, hopefully that helps them out.



Generated at Thu Oct 18 19:18:26 UTC 2018 using Jira 7.13.0-m0003#713000-sha1:633a471f2aa3103167a647e64201095430fb1c30.