Trusted File Types and Unsafe Email Attachments in FogBugz Cases



Since the release of Internet Explorer 7, we have not been able to use blacklisting for extensions in email. This is because of Explorer's HTML sniffing behavior on unknown file types, which would have exposed us to cross-site scripting attacks. To work around this, we have implemented whitelisting for trusted file extensions that is flexible, yet safe enough to run in most configurations.

This article discusses the trusted file types and unsafe attachment types for email extensions in FogBugz and describes how to implement the whitelisting workaround. 



Important Notes


  • The old blacklisting behavior has been deprecated completely. If an attachment that is not from an email is attached by a logged-in FogBugz user with Normal or Admin status, it will not be marked as .unsafe.
  • Any file coming from a Community or Public user, or from email, will be marked as .unsafe unless the file extension is whitelisted.
  • The default whitelisted extensions are:

    • Archives: tar, gzip, gz, zip, bzip, rar
    • Documents: doc, xls, ppt, docx, xlsx, xml, cty, pdf
    • Text: csv, txt
    • Images: jpg, jpeg, bmp, gif, png
  • Whitelisting is Case Sensitive.

INFORMATION: File extension whitelisting is case sensitive since version 8.22.116. However, a number of customers have reported this is not working ideally for them. Because of these reports, we are releasing an update by the end of November 2019 to make file extensions case insensitive.



Step-by-Step Guide


Follow these steps to implement whitelisting:

  1. From the Main Menu, select Site Configuration.

  1. Select the Advanced tab.



  1. Add or remove the file extensions from the Trusted File Types field.



Note: FogBugz will append .unsafe to any attachment from an email or public bug submission that does not end with one of the whitelisted extensions.


Default Values


The current default value for Trusted File Types is as follows:





Once a file extension is whitelisted, the system will allow the downloading of files with that extension without appending .unsafe to the file.


Back to top