Remove the download link for XML site backups

2010-04-22T01:24:24
ID ATLASSIAN:CONFSERVER-19393
Type atlassian
Reporter dkjellin
Modified 2017-02-17T05:42:48

Description

Currently Confluence allows easy download of XML site backups. This could be considered a security risk. This issue introduces a flag in the Confluence_cfg.xml that allows system administrators to turn this feature on or off. By default it is off meaning that the link will not be displayed. The flag admin.ui.allow.manual.backup.download can be changed to true to enable the link again. A restart of Confluence is needed after this flag has changed. The severity of this issue is rated HIGH. Please refer to http://confluence.atlassian.com/x/ZILmD for other security related issues and information on how we rate issues.