From f28cd627f89bf27d79764f0d81bd06176c415eeb Mon Sep 17 00:00:00 2001
From: Ryan Lue <rl@zammad.com>
Date: Tue, 12 Feb 2019 07:46:04 +0100
Subject: [PATCH 1/9] Refactoring: Migrate
 notification_factory_template_test.rb to RSpec

---
 lib/notification_factory/template.rb          | 38 ++++----
 .../lib/notification_factory/template_spec.rb | 91 +++++++++++++++++++
 .../notification_factory_template_test.rb     | 79 ----------------
 3 files changed, 108 insertions(+), 100 deletions(-)
 create mode 100644 spec/lib/notification_factory/template_spec.rb
 delete mode 100644 test/unit/notification_factory_template_test.rb

diff --git a/lib/notification_factory/template.rb b/lib/notification_factory/template.rb
index 98ce92347..945eba14d 100644
--- a/lib/notification_factory/template.rb
+++ b/lib/notification_factory/template.rb
@@ -17,35 +17,31 @@ examples how to use
   end
 
   def to_s
-    strip_html
-  end
+    @template.gsub(/\#{\s*(.*?)\s*}/m) do
+      # some browsers start adding HTML tags
+      # fixes https://github.com/zammad/zammad/issues/385
+      input_template = $1.gsub(/\A<.+?>\s*|\s*<.+?>\z/, '')
 
-  def strip_html
-    # some browsers start adding HTML tags
-    # fixes https://github.com/zammad/zammad/issues/385
-    @template.gsub(/\#\{\s*t\((.+?)\)\s*\}/m) do
-      content = $1
-      if content =~ /^'(.+?)'$/
-        %(<%= t "#{strip_content($1)}", #{@escape} %>)
+      case input_template
+      when /\At\('(.+?)'\)\z/m
+        %(<%= t "#{sanitize_text($1)}", #{@escape} %>)
+      when /\At\((.+?)\)\z/m
+        %(<%= t d"#{sanitize_object_name($1)}", #{@escape} %>)
+      when /\Aconfig\.(.+?)\z/m
+        %(<%= c "#{sanitize_object_name($1)}", #{@escape} %>)
       else
-        %(<%= t d"#{strip_variable(content)}", #{@escape} %>)
+        %(<%= d "#{sanitize_object_name(input_template)}", #{@escape} %>)
       end
-    end.gsub(/\#\{\s*config\.(.+?)\s*\}/m) do
-      %(<%= c "#{strip_variable($1)}", #{@escape} %>)
-    end.gsub(/\#\{(.*?)\}/m) do
-      %(<%= d "#{strip_variable($1)}", #{@escape} %>)
     end
   end
 
-  def strip_content(string)
-    string&.gsub(/\t|\r|\n/, '')
-          &.gsub(/"/, '\"')
+  def sanitize_text(string)
+    string&.tr("\t\r\n", '')
+          &.gsub(/(?<!\\)(?=")/, '\\')
   end
 
-  def strip_variable(string)
-    string&.gsub(/\t|\r|\n|"|'|§|;/, '')
-          &.gsub(/\s*/, '')
-          &.gsub(/<.+?>/, '')
+  def sanitize_object_name(string)
+    string&.tr("\t\r\n\f \"'§;", '')
   end
 
 end
diff --git a/spec/lib/notification_factory/template_spec.rb b/spec/lib/notification_factory/template_spec.rb
new file mode 100644
index 000000000..094f5ca46
--- /dev/null
+++ b/spec/lib/notification_factory/template_spec.rb
@@ -0,0 +1,91 @@
+require 'rails_helper'
+
+RSpec.describe NotificationFactory::Template do
+  subject(:template) do
+    NotificationFactory::Template.new(template_string, escape)
+  end
+
+  describe '#to_s' do
+    context 'for empty input template (incl. whitespace-only)' do
+      let(:template_string) { "\#{ }" }
+
+      context 'with escape = true' do
+        let(:escape) { true }
+
+        it 'returns an ERB template with the #d helper, and passes escape arg as string' do
+          expect(template.to_s).to eq('<%= d "", true %>')
+        end
+      end
+
+      context 'with escape = false' do
+        let(:escape) { false }
+
+        it 'returns an ERB template with the #d helper, and passes escape arg as string' do
+          expect(template.to_s).to eq('<%= d "", false %>')
+        end
+      end
+    end
+
+    context 'for input template using #t helper' do
+      let(:template_string) { "\#{t('some text')}" }
+      let(:escape) { false }
+
+      it 'returns an ERB template with the #t helper, and passes escape arg as string' do
+        expect(template.to_s).to eq('<%= t "some text", false %>')
+      end
+
+      context 'with double-quotes in argument' do
+        let(:template_string) { "\#{t('some \"text\"')}" }
+
+        it 'adds backslash-escaping' do
+          expect(template.to_s).to eq('<%= t "some \"text\"", false %>')
+        end
+      end
+    end
+
+    # Regression test for https://github.com/zammad/zammad/issues/385
+    context 'with HTML auto-injected by browser' do
+      let(:escape) { true }
+
+      context 'for <a> tags wrapped around "ticket.id"' do
+        let(:template_string) { <<~'TEMPLATE'.chomp }
+          #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id</a>}
+        TEMPLATE
+
+        it 'strips tag from resulting ERB template' do
+          expect(template.to_s).to eq('<%= d "ticket.id", true %>')
+        end
+      end
+
+      context 'for <a> tags wrapped around "config.fqdn"' do
+        let(:template_string) { <<~'TEMPLATE'.chomp }
+          #{<a href="http://config.fqdn" title="http://config.fqdn" target="_blank">config.fqdn</a>}
+        TEMPLATE
+
+        it 'strips tag from resulting ERB template' do
+          expect(template.to_s).to eq('<%= c "fqdn", true %>')
+        end
+      end
+
+      context 'for <a> tags surrounded by whitespace' do
+        let(:template_string) { <<~'TEMPLATE'.chomp }
+          #{   <a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  </a>  }
+        TEMPLATE
+
+        it 'strips tag and spaces from template' do
+          expect(template.to_s).to eq('<%= d "ticket.id", true %>')
+        end
+      end
+
+      context 'for unpaired <a> tag and trailing whitespace' do
+        let(:template_string) { <<~'TEMPLATE'.chomp }
+          #{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  }
+        TEMPLATE
+
+        it 'strips tag and spaces from template' do
+          expect(template.to_s).to eq('<%= d "ticket.id", true %>')
+        end
+      end
+    end
+  end
+end
diff --git a/test/unit/notification_factory_template_test.rb b/test/unit/notification_factory_template_test.rb
deleted file mode 100644
index 38ca7367c..000000000
--- a/test/unit/notification_factory_template_test.rb
+++ /dev/null
@@ -1,79 +0,0 @@
-require 'test_helper'
-
-class NotificationFactoryTemplateTest < ActiveSupport::TestCase
-
-  # RSpec incoming!
-  def described_class
-    NotificationFactory::Template
-  end
-
-  test 'regular browser html' do
-
-    # ensures https://github.com/zammad/zammad/issues/385
-    template_before = '#{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id</a>}'
-    template_after  = '<%= d "ticket.id", true %>'
-
-    result = described_class.new(template_before, true).to_s
-    assert_equal(template_after, result)
-
-    template_before = '#{<a href="http://ticket.id" title="http://ticket.id" target="_blank">config.fqdn</a>}'
-    template_after  = '<%= d "config.fqdn", true %>'
-
-    result = described_class.new(template_before, true).to_s
-    assert_equal(template_after, result)
-  end
-
-  test 'spaced browser html' do
-
-    # ensures https://github.com/zammad/zammad/issues/385
-    template_before = '#{   <a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  </a>  }'
-    template_after  = '<%= d "ticket.id", true %>'
-
-    result = described_class.new(template_before, true).to_s
-    assert_equal(template_after, result)
-  end
-
-  test 'broken browser html' do
-
-    # ensures https://github.com/zammad/zammad/issues/385
-    template_before = '#{<a href="http://ticket.id" title="http://ticket.id" target="_blank">ticket.id  }'
-    template_after  = '<%= d "ticket.id", true %>'
-
-    result = described_class.new(template_before, true).to_s
-    assert_equal(template_after, result)
-  end
-
-  test 'empty tag' do
-
-    template_before = '#{}'
-    template_after  = '<%= d "", true %>'
-
-    result = described_class.new(template_before, true).to_s
-    assert_equal(template_after, result)
-  end
-
-  test 'empty tag with space' do
-
-    template_before = '#{ }'
-    template_after  = '<%= d "", false %>'
-
-    result = described_class.new(template_before, false).to_s
-    assert_equal(template_after, result)
-  end
-
-  test 'translation' do
-
-    template_before = "\#{t('some text')}"
-    template_after  = '<%= t "some text", false %>'
-
-    result = described_class.new(template_before, false).to_s
-    assert_equal(template_after, result)
-
-    template_before = "\#{t('some \"text\"')}"
-    template_after  = '<%= t "some \"text\"", false %>'
-
-    result = described_class.new(template_before, false).to_s
-    assert_equal(template_after, result)
-  end
-
-end

From dabce01ec2aba82aaafdb08deba755b7b222734c Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@znuny.com>
Date: Tue, 12 Feb 2019 08:38:59 +0100
Subject: [PATCH 2/9] Sanitize html for note fields of tickets, users and
 organizations.

---
 app/models/organization.rb                             |  3 +++
 app/models/ticket.rb                                   |  3 +++
 app/models/user.rb                                     |  3 +++
 .../models/concerns/has_xss_sanitized_note_examples.rb | 10 ++++++++++
 spec/models/organization_spec.rb                       |  3 +++
 spec/models/ticket_spec.rb                             |  3 +++
 spec/models/user_spec.rb                               |  3 +++
 7 files changed, 28 insertions(+)
 create mode 100644 spec/models/concerns/has_xss_sanitized_note_examples.rb

diff --git a/app/models/organization.rb b/app/models/organization.rb
index d772fea1b..0b35e24af 100644
--- a/app/models/organization.rb
+++ b/app/models/organization.rb
@@ -7,6 +7,7 @@ class Organization < ApplicationModel
   include HasHistory
   include HasSearchIndexBackend
   include CanCsvImport
+  include ChecksHtmlSanitized
 
   include Organization::ChecksAccess
   include Organization::Assets
@@ -22,6 +23,8 @@ class Organization < ApplicationModel
 
   activity_stream_permission 'admin.role'
 
+  sanitized_html :note
+
   private
 
   def domain_cleanup
diff --git a/app/models/ticket.rb b/app/models/ticket.rb
index 740120b55..a5a81c1df 100644
--- a/app/models/ticket.rb
+++ b/app/models/ticket.rb
@@ -6,6 +6,7 @@ class Ticket < ApplicationModel
   include ChecksClientNotification
   include ChecksLatestChangeObserved
   include CanCsvImport
+  include ChecksHtmlSanitized
   include HasHistory
   include HasTags
   include HasSearchIndexBackend
@@ -56,6 +57,8 @@ class Ticket < ApplicationModel
 
   history_relation_object 'Ticket::Article'
 
+  sanitized_html :note
+
   belongs_to    :group
   belongs_to    :organization
   has_many      :articles,               class_name: 'Ticket::Article', after_add: :cache_update, after_remove: :cache_update, dependent: :destroy, inverse_of: :ticket
diff --git a/app/models/user.rb b/app/models/user.rb
index 5d564f088..280431476 100644
--- a/app/models/user.rb
+++ b/app/models/user.rb
@@ -6,6 +6,7 @@ class User < ApplicationModel
   include HasHistory
   include HasSearchIndexBackend
   include CanCsvImport
+  include ChecksHtmlSanitized
   include HasGroups
   include HasRoles
 
@@ -66,6 +67,8 @@ class User < ApplicationModel
                          :groups,
                          :user_groups
 
+  sanitized_html :note
+
   def ignore_search_indexing?(_action)
     # ignore internal user
     return true if id == 1
diff --git a/spec/models/concerns/has_xss_sanitized_note_examples.rb b/spec/models/concerns/has_xss_sanitized_note_examples.rb
new file mode 100644
index 000000000..8af57b840
--- /dev/null
+++ b/spec/models/concerns/has_xss_sanitized_note_examples.rb
@@ -0,0 +1,10 @@
+RSpec.shared_examples 'HasXssSanitizedNote' do |model_factory:|
+  describe 'XSS prevention' do
+    context 'with injected JS' do
+      subject { create(model_factory, note: 'test 123 <script type="text/javascript">alert("XSS!");</script> <b>some text</b>') }
+      it 'strips out <script> tag' do
+        expect(subject.note).to eq('test 123 alert("XSS!"); <b>some text</b>')
+      end
+    end
+  end
+end
diff --git a/spec/models/organization_spec.rb b/spec/models/organization_spec.rb
index 45c7de74c..415023266 100644
--- a/spec/models/organization_spec.rb
+++ b/spec/models/organization_spec.rb
@@ -1,10 +1,12 @@
 require 'rails_helper'
 require 'models/concerns/can_lookup_examples'
 require 'models/concerns/has_search_index_backend_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'
 
 RSpec.describe Organization, type: :model do
   it_behaves_like 'CanLookup'
   it_behaves_like 'HasSearchIndexBackend', indexed_factory: :organization
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :organization
 
   describe '.where_or_cis' do
     it 'finds instance by querying multiple attributes case insensitive' do
@@ -13,4 +15,5 @@ RSpec.describe Organization, type: :model do
       expect(organizations).not_to be_blank
     end
   end
+
 end
diff --git a/spec/models/ticket_spec.rb b/spec/models/ticket_spec.rb
index 2f71a7cd1..5cde81a00 100644
--- a/spec/models/ticket_spec.rb
+++ b/spec/models/ticket_spec.rb
@@ -2,11 +2,13 @@ require 'rails_helper'
 require 'models/application_model_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/can_lookup_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'
 
 RSpec.describe Ticket, type: :model do
   it_behaves_like 'ApplicationModel'
   it_behaves_like 'CanBeImported'
   it_behaves_like 'CanLookup'
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :ticket
 
   subject(:ticket) { create(:ticket) }
 
@@ -378,4 +380,5 @@ RSpec.describe Ticket, type: :model do
       end
     end
   end
+
 end
diff --git a/spec/models/user_spec.rb b/spec/models/user_spec.rb
index 0c10e7fc8..39a8b18c1 100644
--- a/spec/models/user_spec.rb
+++ b/spec/models/user_spec.rb
@@ -3,6 +3,7 @@ require 'models/application_model_examples'
 require 'models/concerns/has_groups_examples'
 require 'models/concerns/has_roles_examples'
 require 'models/concerns/has_groups_permissions_examples'
+require 'models/concerns/has_xss_sanitized_note_examples'
 require 'models/concerns/can_be_imported_examples'
 require 'models/concerns/can_lookup_examples'
 
@@ -10,6 +11,7 @@ RSpec.describe User do
   it_behaves_like 'ApplicationModel'
   it_behaves_like 'HasGroups', group_access_factory: :agent_user
   it_behaves_like 'HasRoles', group_access_factory: :agent_user
+  it_behaves_like 'HasXssSanitizedNote', model_factory: :user
   it_behaves_like 'HasGroups and Permissions', group_access_no_permission_factory: :user
   it_behaves_like 'CanBeImported'
   it_behaves_like 'CanLookup'
@@ -831,4 +833,5 @@ RSpec.describe User do
       end
     end
   end
+
 end

From f106ad0ef0afc35c90be1793b5c0789f35e80dab Mon Sep 17 00:00:00 2001
From: Thorsten Eckel <te@znuny.com>
Date: Mon, 21 Jan 2019 11:36:41 +0100
Subject: [PATCH 3/9] Improved header handling.

---
 app/controllers/sessions_controller.rb |  2 +-
 spec/requests/api_auth_spec.rb         | 16 +++++++++++++++-
 2 files changed, 16 insertions(+), 2 deletions(-)

diff --git a/app/controllers/sessions_controller.rb b/app/controllers/sessions_controller.rb
index 4e4be2efb..ee2944184 100644
--- a/app/controllers/sessions_controller.rb
+++ b/app/controllers/sessions_controller.rb
@@ -2,7 +2,7 @@
 
 class SessionsController < ApplicationController
   prepend_before_action :authentication_check, only: %i[switch_to_user list delete]
-  skip_before_action :verify_csrf_token, only: %i[create show destroy create_omniauth failure_omniauth create_sso]
+  skip_before_action :verify_csrf_token, only: %i[show destroy create_omniauth failure_omniauth create_sso]
 
   # "Create" a login, aka "log the user in"
   def create
diff --git a/spec/requests/api_auth_spec.rb b/spec/requests/api_auth_spec.rb
index df8de3414..eabf60cef 100644
--- a/spec/requests/api_auth_spec.rb
+++ b/spec/requests/api_auth_spec.rb
@@ -2,6 +2,17 @@ require 'rails_helper'
 
 RSpec.describe 'Api Auth', type: :request do
 
+  around(:each) do |example|
+    orig = ActionController::Base.allow_forgery_protection
+
+    begin
+      ActionController::Base.allow_forgery_protection = true
+      example.run
+    ensure
+      ActionController::Base.allow_forgery_protection = orig
+    end
+  end
+
   let(:admin_user) do
     create(:admin_user)
   end
@@ -369,7 +380,10 @@ RSpec.describe 'Api Auth', type: :request do
     it 'does session auth - admin' do
       create(:admin_user, login: 'api-admin@example.com', password: 'adminpw')
 
-      post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }
+      get '/'
+      token = response.headers['CSRF-TOKEN']
+
+      post '/api/v1/signin', params: { username: 'api-admin@example.com', password: 'adminpw', fingerprint: '123456789' }, headers: { 'X-CSRF-Token' => token }
       expect(response.header.key?('Access-Control-Allow-Origin')).to be_falsey
       expect(response).to have_http_status(201)
 

From 413d8eb03b77293bf3607ff58f47dd3073846f15 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bauer?= <andre.bauer@kiwigrid.com>
Date: Tue, 12 Feb 2019 12:39:03 +0100
Subject: [PATCH 4/9] fixed docker repo
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Signed-off-by: André Bauer <andre.bauer@kiwigrid.com>
---
 .circleci/docker-image-build.sh | 16 ++++++++++------
 1 file changed, 10 insertions(+), 6 deletions(-)

diff --git a/.circleci/docker-image-build.sh b/.circleci/docker-image-build.sh
index b744ad6ff..3ecb64a33 100755
--- a/.circleci/docker-image-build.sh
+++ b/.circleci/docker-image-build.sh
@@ -6,16 +6,20 @@ set -o errexit
 set -o pipefail
 
 REPO_ROOT="$(git rev-parse --show-toplevel)"
-REPO_USER="zammad"
+GITHUB_REPO_USER="zammad"
 ZAMMAD_VERSION="$(git describe --tags | sed -e 's/-[a-z0-9]\{8,\}.*//g')"
 export ZAMMAD_VERSION
 
 if [ "${CIRCLE_BRANCH}" == 'develop' ]; then
-  DOCKER_REPOSITORY="zammad-docker"
   BUILD_SCRIPT="scripts/build_image.sh"
+  DOCKER_REPOSITORY="zammad"
+  export DOCKER_REPOSITORY
+  GITHUB_REPOSITORY="zammad-docker"
 elif [ "${CIRCLE_BRANCH}" == 'stable' ]; then
-  DOCKER_REPOSITORY="zammad-docker-compose"
   BUILD_SCRIPT="hooks/build.sh"
+  DOCKER_REPOSITORY="zammad-docker-compose"
+  export DOCKER_REPOSITORY
+  GITHUB_REPOSITORY="zammad-docker-compose"
 else
   echo "branch is ${CIRCLE_BRANCH}... no docker image build needed..."
   exit 0
@@ -25,11 +29,11 @@ fi
 echo "${DOCKER_PASSWORD}" | docker login --username="${DOCKER_USERNAME}" --password-stdin
 
 # clone docker repo
-git clone https://github.com/"${REPO_USER}"/"${DOCKER_REPOSITORY}"
+git clone https://github.com/"${GITHUB_REPO_USER}"/"${GITHUB_REPOSITORY}"
 
 # enter dockerfile dir
-cd "${REPO_ROOT}/${DOCKER_REPOSITORY}"
+cd "${REPO_ROOT}/${GITHUB_REPOSITORY}"
 
 # build & push docker image
 # shellcheck disable=SC1090
-source "${REPO_ROOT}/${DOCKER_REPOSITORY}/${BUILD_SCRIPT}"
+source "${REPO_ROOT}/${GITHUB_REPOSITORY}/${BUILD_SCRIPT}"

From 11b0d4d286722b7146cd6ffce72f7bc9701928e4 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andr=C3=A9=20Bauer?= <andre.bauer@kiwigrid.com>
Date: Wed, 13 Feb 2019 10:52:33 +0100
Subject: [PATCH 5/9] fixed docker image build hook path

---
 .circleci/docker-image-build.sh | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.circleci/docker-image-build.sh b/.circleci/docker-image-build.sh
index 3ecb64a33..8d864ad94 100755
--- a/.circleci/docker-image-build.sh
+++ b/.circleci/docker-image-build.sh
@@ -16,7 +16,7 @@ if [ "${CIRCLE_BRANCH}" == 'develop' ]; then
   export DOCKER_REPOSITORY
   GITHUB_REPOSITORY="zammad-docker"
 elif [ "${CIRCLE_BRANCH}" == 'stable' ]; then
-  BUILD_SCRIPT="hooks/build.sh"
+  BUILD_SCRIPT="hooks/build"
   DOCKER_REPOSITORY="zammad-docker-compose"
   export DOCKER_REPOSITORY
   GITHUB_REPOSITORY="zammad-docker-compose"

From 5dedd6ecfc2afa4ba791c2b1f3415821cfed655b Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@znuny.com>
Date: Thu, 14 Feb 2019 06:42:41 +0100
Subject: [PATCH 6/9] Implemented preview feature as default feature.

---
 .circleci/install.sh                          |   2 +-
 .pkgr.yml                                     |  45 ++++++-
 Gemfile                                       |   3 +
 Gemfile.lock                                  |   2 +
 .../ticket_zoom/article_image_view.coffee     |  24 ++++
 .../ticket_zoom/article_view.coffee           |   2 +-
 .../views/ticket_zoom/article_view.jst.eco    |   2 +-
 app/controllers/ticket_articles_controller.rb |  15 ++-
 app/models/store.rb                           | 101 ++++++++++++++-
 app/models/ticket/article.rb                  |   2 +-
 ...g_change_ticket_zoom_attachment_preview.rb |  34 +++++
 db/seeds/settings.rb                          |   2 +-
 public/assets/chat/chat-no-jquery.coffee      |   2 +-
 test/data/image/1000x1000.png                 | Bin 0 -> 2424 bytes
 test/data/image/1x1.png                       | Bin 0 -> 106 bytes
 test/unit/store_test.rb                       | 120 ++++++++++++++++++
 16 files changed, 342 insertions(+), 14 deletions(-)
 create mode 100644 db/migrate/20190131000001_setting_change_ticket_zoom_attachment_preview.rb
 create mode 100644 test/data/image/1000x1000.png
 create mode 100644 test/data/image/1x1.png

diff --git a/.circleci/install.sh b/.circleci/install.sh
index 4eccd04e4..047315c7f 100755
--- a/.circleci/install.sh
+++ b/.circleci/install.sh
@@ -10,7 +10,7 @@ DB_CONFIG="test:\n  adapter: postgresql\n  database: zammad_test\n  host: 127.0.
 
 # install build dependencies
 sudo apt-get update
-sudo apt-get install -y --no-install-recommends autoconf automake autotools-dev bison build-essential curl git-core libffi-dev libgdbm-dev libgmp-dev libmariadbclient-dev-compat libncurses5-dev libreadline-dev libsqlite3-dev libssl-dev libtool libxml2-dev libxslt1-dev libyaml-0-2 libyaml-dev patch pkg-config postfix sqlite3 zlib1g-dev
+sudo apt-get install -y --no-install-recommends autoconf automake autotools-dev bison build-essential curl git-core libffi-dev libgdbm-dev libgmp-dev libmariadbclient-dev-compat libncurses5-dev libreadline-dev libsqlite3-dev libssl-dev libtool libxml2-dev libxslt1-dev libyaml-0-2 libyaml-dev patch pkg-config postfix sqlite3 zlib1g-dev libimlib2 libimlib2-dev
 
 if [ "${CIRCLE_JOB}" == "install-mysql" ]; then
   DB_ADAPTER="mysql2"
diff --git a/.pkgr.yml b/.pkgr.yml
index 6e32b62eb..b5b36456d 100644
--- a/.pkgr.yml
+++ b/.pkgr.yml
@@ -10,36 +10,69 @@ targets:
       - nginx
       - postgresql-server
       - which
-  debian-8:
-    dependencies:
-      - curl
-      - elasticsearch
-      - nginx|apache2
-      - postgresql|mysql-server|mariadb-server|sqlite
+      - epel-release
+      - imlib2
+      - imlib2-devel
+    build_dependencies:
+      - http://download.fedoraproject.org/pub/epel/7/x86_64/Packages/i/imlib2-1.4.5-9.el7.x86_64.rpm
+      - http://download.fedoraproject.org/pub/epel/7/x86_64/Packages/i/imlib2-devel-1.4.5-9.el7.x86_64.rpm
   debian-9:
     dependencies:
       - curl
       - elasticsearch
       - nginx|apache2
       - postgresql|mariadb-server|sqlite
+      - libimlib2
+      - libimlib2-dev
+    build_dependencies:
+      - libimlib2
+      - libimlib2-dev
   ubuntu-16.04:
     dependencies:
       - curl
       - elasticsearch
       - nginx|apache2
       - postgresql|mysql-server|mariadb-server|sqlite
+      - libimlib2
+      - libimlib2-dev
+    build_dependencies:
+      - libimlib2
+      - libimlib2-dev
   ubuntu-18.04:
     dependencies:
       - curl
       - elasticsearch
       - nginx|apache2
       - postgresql|mysql-server|mariadb-server|sqlite
+      - libimlib2
+    build_dependencies:
+      - libimlib2-dev
   sles-12:
     dependencies:
       - curl
       - elasticsearch
       - nginx
       - postgresql-server
+      - imlib2
+      - imlib2-devel
+    build_dependencies:
+      - imlib2
+      - imlib2-devel
+  sles-12:
+    dependencies:
+      - curl
+      - elasticsearch
+      - nginx
+      - postgresql-server
+      - imlib2
+      - libImlib2-1
+      - imlib2
+      - imlib2-devel
+    build_dependencies:
+      - https://ftp.gwdg.de/pub/opensuse/discontinued/distribution/12.3/repo/oss/suse/x86_64/imlib2-1.4.5-12.1.1.x86_64.rpm
+      - https://ftp.gwdg.de/pub/opensuse/discontinued/distribution/12.3/repo/oss/suse/x86_64/imlib2-devel-1.4.5-12.1.1.x86_64.rpm
+      - https://ftp.gwdg.de/pub/opensuse/discontinued/distribution/12.3/repo/oss/suse/x86_64/imlib2-filters-1.4.5-12.1.1.x86_64.rpm
+      - https://ftp.gwdg.de/pub/opensuse/discontinued/distribution/12.3/repo/oss/suse/x86_64/libImlib2-1-1.4.5-12.1.1.x86_64.rpm
 before:
   - contrib/packager.io/before.sh
 after:
diff --git a/Gemfile b/Gemfile
index e52605d67..cca8287d4 100644
--- a/Gemfile
+++ b/Gemfile
@@ -116,6 +116,9 @@ gem 'autodiscover', git: 'https://github.com/zammad-deps/autodiscover'
 gem 'rubyntlm', git: 'https://github.com/wimm/rubyntlm'
 gem 'viewpoint'
 
+# image processing
+gem 'rszr'
+
 # Gems used only for develop/test and not required
 # in production environments by default.
 group :development, :test do
diff --git a/Gemfile.lock b/Gemfile.lock
index 338636dc6..e358c64c6 100644
--- a/Gemfile.lock
+++ b/Gemfile.lock
@@ -408,6 +408,7 @@ GEM
       rspec-mocks (~> 3.8.0)
       rspec-support (~> 3.8.0)
     rspec-support (3.8.0)
+    rszr (0.3.2)
     rubocop (0.64.0)
       jaro_winkler (~> 1.5.1)
       parallel (~> 1.10)
@@ -584,6 +585,7 @@ DEPENDENCIES
   rb-fsevent
   rchardet (>= 1.8.0)
   rspec-rails
+  rszr
   rubocop
   rubyntlm!
   sassc-rails
diff --git a/app/assets/javascripts/app/controllers/ticket_zoom/article_image_view.coffee b/app/assets/javascripts/app/controllers/ticket_zoom/article_image_view.coffee
index df8661ed2..de542b3fc 100644
--- a/app/assets/javascripts/app/controllers/ticket_zoom/article_image_view.coffee
+++ b/app/assets/javascripts/app/controllers/ticket_zoom/article_image_view.coffee
@@ -11,9 +11,33 @@ class App.TicketZoomArticleImageView extends App.ControllerModal
     'click .js-cancel': 'cancel'
     'click .js-close':  'cancel'
 
+  constructor: ->
+    super
+    @unbindAll()
+    $(document).bind('keydown.image_preview', 'right', (e) =>
+      nextElement = @parentElement.closest('.attachment').next('.attachment.attachment--preview')
+      return if nextElement.length is 0
+      @close()
+      nextElement.find('img').click()
+    )
+    $(document).bind('keydown.image_preview', 'left', (e) =>
+      prevElement = @parentElement.closest('.attachment').prev('.attachment.attachment--preview')
+      return if prevElement.length is 0
+      @close()
+      prevElement.find('img').click()
+    )
+
   content: ->
+    @image = @image.replace(/view=preview/, 'view=inline')
     "<div class=\"centered imagePreview\">#{@image}</div>"
 
   onSubmit: =>
+    @image = @image.replace(/(\?|)view=(preview|inline)/, '')
     url = "#{$(@image).attr('src')}?disposition=attachment"
     window.open(url, '_blank')
+
+  onClose: =>
+    @unbindAll()
+
+  unbindAll: ->
+    $(document).unbind('keydown.image_preview')
diff --git a/app/assets/javascripts/app/controllers/ticket_zoom/article_view.coffee b/app/assets/javascripts/app/controllers/ticket_zoom/article_view.coffee
index 33f1b2406..f5da7281e 100644
--- a/app/assets/javascripts/app/controllers/ticket_zoom/article_view.coffee
+++ b/app/assets/javascripts/app/controllers/ticket_zoom/article_view.coffee
@@ -421,4 +421,4 @@ class ArticleViewItem extends App.ObserverController
   imageView: (e) ->
     e.preventDefault()
     e.stopPropagation()
-    new App.TicketZoomArticleImageView(image: $(e.target).get(0).outerHTML)
+    new App.TicketZoomArticleImageView(image: $(e.target).get(0).outerHTML, parentElement: $(e.currentTarget))
diff --git a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
index 348805aa2..aaa00e171 100644
--- a/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
+++ b/app/assets/javascripts/app/views/ticket_zoom/article_view.jst.eco
@@ -66,7 +66,7 @@
                   <div class="attachment-icon">
                   <% if attachment.preferences && attachment.preferences['Content-Type'] && @ContentTypeIcon(attachment.preferences['Content-Type']): %>
                     <% if @canPreview(attachment.preferences['Content-Type']): %>
-                      <img src="<%= App.Config.get('api_path') %>/ticket_attachment/<%= @article.ticket_id %>/<%= @article.id %>/<%= attachment.id %>">
+                      <img src="<%= App.Config.get('api_path') %>/ticket_attachment/<%= @article.ticket_id %>/<%= @article.id %>/<%= attachment.id %>?view=preview">
                     <% else: %>
                       <%- @Icon( @ContentTypeIcon(attachment.preferences['Content-Type']) ) %>
                     <% end %>
diff --git a/app/controllers/ticket_articles_controller.rb b/app/controllers/ticket_articles_controller.rb
index 681ffb17b..138a23fdd 100644
--- a/app/controllers/ticket_articles_controller.rb
+++ b/app/controllers/ticket_articles_controller.rb
@@ -255,8 +255,21 @@ class TicketArticlesController < ApplicationController
 
     disposition = sanitized_disposition
 
+    content = nil
+    if params[:view].present? && file.preferences[:resizable] == true
+      if file.preferences[:content_inline] == true && params[:view] == 'inline'
+        content = file.content_inline
+      elsif file.preferences[:content_preview] == true && params[:view] == 'preview'
+        content = file.content_preview
+      end
+    end
+
+    if content.blank?
+      content = file.content
+    end
+
     send_data(
-      file.content,
+      content,
       filename:    file.filename,
       type:        file.preferences['Content-Type'] || file.preferences['Mime-Type'] || 'application/octet-stream',
       disposition: disposition
diff --git a/app/models/store.rb b/app/models/store.rb
index 5a79c1966..4827b2c5a 100644
--- a/app/models/store.rb
+++ b/app/models/store.rb
@@ -34,7 +34,7 @@ returns
 =end
 
   def self.add(data)
-    data = data.stringify_keys
+    data.deep_stringify_keys!
 
     # lookup store_object.id
     store_object = Store::Object.create_if_not_exists(name: data['object'])
@@ -50,9 +50,34 @@ returns
     data.delete('data')
     data.delete('object')
 
+    data['preferences'] ||= {}
+    ['Mime-Type', 'Content-Type', 'mime_type', 'content_type'].each do |key|
+      next if data['preferences'][key].blank?
+      next if !data['preferences'][key].match(%r{image/(jpeg|jpg|png)}i)
+
+      data['preferences']['resizable'] = true
+      break
+    end
+
     # store meta data
     store = Store.create!(data)
 
+    begin
+      if store.preferences[:resizable] == true
+        if store.content_preview(silence: true)
+          store.preferences[:content_preview] = true
+        end
+        if store.content_inline(silence: true)
+          store.preferences[:content_inline] = true
+        end
+        store.save!
+      end
+    rescue => e
+      logger.error e
+      store.preferences[:resizable] = false
+      store.save!
+    end
+
     store
   end
 
@@ -165,6 +190,52 @@ returns
 
 =begin
 
+get content of file in preview size
+
+  store = Store.find(store_id)
+  content_as_string = store.content_preview
+
+returns
+
+  content_as_string
+
+=end
+
+  def content_preview(options = {})
+    file = Store::File.find_by(id: store_file_id)
+    if !file
+      raise "No such file #{store_file_id}!"
+    end
+    raise 'Unable to generate preview' if options[:silence] != true && preferences[:content_preview] != true
+
+    image_resize(file.content, 200)
+  end
+
+=begin
+
+get content of file in inline size
+
+  store = Store.find(store_id)
+  content_as_string = store.content_inline
+
+returns
+
+  content_as_string
+
+=end
+
+  def content_inline(options = {})
+    file = Store::File.find_by(id: store_file_id)
+    if !file
+      raise "No such file #{store_file_id}!"
+    end
+    raise 'Unable to generate inline' if options[:silence] != true && preferences[:content_inline] != true
+
+    image_resize(file.content, 1800)
+  end
+
+=begin
+
 get content of file
 
   store = Store.find(store_id)
@@ -204,4 +275,32 @@ returns
 
     file.provider
   end
+
+  private
+
+  def image_resize(content, width)
+    local_sha = Digest::SHA256.hexdigest(content)
+
+    cache_key = "image-resize-#{local_sha}_#{width}"
+    all = nil
+    image = Cache.get(cache_key)
+    return image if image
+
+    temp_file = ::Tempfile.new
+    temp_file.binmode
+    temp_file.write(content)
+    temp_file.close
+    image = Rszr::Image.load(temp_file.path)
+    return if image.width < width
+
+    image.resize!(width, :auto)
+    temp_file_resize = ::Tempfile.new.path
+    image.save(temp_file_resize)
+    image_resized = ::File.binread(temp_file_resize)
+
+    Cache.write(cache_key, image_resized, { expires_in: 6.months })
+
+    image_resized
+  end
+
 end
diff --git a/app/models/ticket/article.rb b/app/models/ticket/article.rb
index e5c1c56f7..d4f23bf83 100644
--- a/app/models/ticket/article.rb
+++ b/app/models/ticket/article.rb
@@ -82,7 +82,7 @@ returns
       article['attachments'].each do |file|
         next if !file[:preferences] || !file[:preferences]['Content-ID'] || (file[:preferences]['Content-ID'] != cid && file[:preferences]['Content-ID'] != "<#{cid}>" )
 
-        replace = "#{tag_start}/api/v1/ticket_attachment/#{article['ticket_id']}/#{article['id']}/#{file[:id]}\"#{tag_end}>"
+        replace = "#{tag_start}/api/v1/ticket_attachment/#{article['ticket_id']}/#{article['id']}/#{file[:id]}?view=inline\"#{tag_end}>"
         inline_attachments[file[:id]] = true
         break
       end
diff --git a/db/migrate/20190131000001_setting_change_ticket_zoom_attachment_preview.rb b/db/migrate/20190131000001_setting_change_ticket_zoom_attachment_preview.rb
new file mode 100644
index 000000000..296db7b3f
--- /dev/null
+++ b/db/migrate/20190131000001_setting_change_ticket_zoom_attachment_preview.rb
@@ -0,0 +1,34 @@
+class SettingChangeTicketZoomAttachmentPreview < ActiveRecord::Migration[5.1]
+  def up
+    # return if it's a new setup
+    return if !Setting.find_by(name: 'system_init_done')
+
+    Setting.create_or_update(
+      title:       'Sidebar Attachments',
+      name:        'ui_ticket_zoom_attachments_preview',
+      area:        'UI::TicketZoom::Preview',
+      description: 'Enables preview of attachments.',
+      options:     {
+        form: [
+          {
+            display:   '',
+            null:      true,
+            name:      'ui_ticket_zoom_attachments_preview',
+            tag:       'boolean',
+            translate: true,
+            options:   {
+              true  => 'yes',
+              false => 'no',
+            },
+          },
+        ],
+      },
+      state:       true,
+      preferences: {
+        prio:       400,
+        permission: ['admin.ui'],
+      },
+      frontend:    true
+    )
+  end
+end
diff --git a/db/seeds/settings.rb b/db/seeds/settings.rb
index 778538f0c..0d6ce04e1 100644
--- a/db/seeds/settings.rb
+++ b/db/seeds/settings.rb
@@ -793,7 +793,7 @@ Setting.create_if_not_exists(
       },
     ],
   },
-  state:       false,
+  state:       true,
   preferences: {
     prio:       400,
     permission: ['admin.ui'],
diff --git a/public/assets/chat/chat-no-jquery.coffee b/public/assets/chat/chat-no-jquery.coffee
index f43d1285b..7b8fe5cc7 100644
--- a/public/assets/chat/chat-no-jquery.coffee
+++ b/public/assets/chat/chat-no-jquery.coffee
@@ -501,7 +501,7 @@ do(window) ->
     stopPropagation: (event) ->
       event.stopPropagation()
 
-    onPaste: (e) =>
+    onDrop: (e) =>
       e.stopPropagation()
       e.preventDefault()
 
diff --git a/test/data/image/1000x1000.png b/test/data/image/1000x1000.png
new file mode 100644
index 0000000000000000000000000000000000000000..02756786d88868ef3fe6089b7a79ffcfe0300f67
GIT binary patch
literal 2424
zcmds3`&SZp7T4|J^iWQ<lOq^<(k(R+^Oc#vI^%ORF*M(=%17cO9|R8a*wNkGGSeEA
z6qQzsW~F>#5I)dyv=L=kLPJxu$xxxxL`V^pMSq$9VeUEi-0$~(&i&r|`F_v&obSz$
zU_ayi!2JdW2F3yY-Y5fuUGv+%dzU`bQ#vTo2T({*n2$c{bUF(Q3p$-XJw4si(}O@D
z5)u-~Wb)~*zIr{pFWWyV&%nUsmu)w!IAsFT=XM2ndxhoKEJ(fbCI-GXNUUy4I#v>i
zCO(X_9TZguOqlnL1mr!b9)9R&n^^;HV2fvM*yq<d2g(fs5+e?EMBn;KL!_1yzO2a%
zueBOfzPq|x-|5e7y*F+rbl)=CQZmyn5R|ll*~AXxB)n<~dh7j%m7dvv&yQ#7-ER^J
zDzDaTWpm97uVjyPar+&T+aOKRTWcypf#Z$_ax{fSe2hwMw{|?0@g2^kv@(~_+US>~
z%xrr1!0Fg#E+lfpA%RhZ3-u1v%qeC7(>(lYXXC}Xx&0<~Vl>o_r0t7n=4p6u70oM;
zJhF{^+9`e)Z#K<BUy-2+Iyf>rr0P!75R%lLuZibwBJ+|xFf(n24pxusKjwI(O-*9<
z-vgV6F-F15#j^rdjdrfLqHnt7<R#lzPt%YWmn3I*=4*2;I48v00Nc>IEjJYZvCs0#
zGfuJ3a*6piEjvFI^BG6xa5v}8*+f?T8s@LIvL~VcXtVt3pdQ9gj#~`Hy{|Q|GLdRF
z%1tYCCt;by4s35AV4DJ_C)4L~!RZPRa?Xg`LMfI)uD81dGmMNX(#F5kW)h^}McjzG
z{>V#IywMe9f8)3E7Z}j5Dw}TvfG?M};=v=co!CfzN#b#B?&u!*izM2wDogj~Z&J-D
zdl&0%;7wZ~O0Icu+8yfOzTfGmMS6(F7wPS_uBHx!C|`DHR4*Oo;{J2cm6+#~0PubJ
z|BjufRquX80Gi!}R<F=h`gefLDPBa9T2@jOk|FWP0}9kC;@q|B0e=AFtv@4KNFFhU
zPiSZktoI+#%XT)h^B-oFKc&nE?!dy!9Ek<V8u)zta+b?2it@Nq2`poPuSy(Rw!SCU
zmQm$i_ROI;I!{<xloi5HODaZWd04^5w&oBf2oSQN;iIn;5eOoubn-|k*oiJhWv+Rr
ze@>Xi((59~tNuajwa@k>)wDN5W{AiY%;P1(@hvW46q1ZNRjRm&#J9+jFYJCAAD3S1
ziDE1-fVlr*F*|h3S0ZOBz9k62ro>oZRkI43|1BG8Hy^Y*c~5kjeCB$fS?vr(T#o}E
z&FD0VCVF<S7H0B-8dzP5<{*-1QLP9fyM!UrA&nGp#(|j4EnngNw6hn=YHE)y^%L3L
zEZdo)Nx@~$AOIE<)9u%gI_!cU{%`OUZsXo0ibGkJ53Ao}PQb=QnQCxp-D&asr#8O)
z3(p+u&G8Vis+8h6zya*Dm~P}wB|L)IF(bJ|eTf=yL&f!}5+gcCwJ!L9pc&d3-l<Oy
z_1&m8b@q)F;Db*%_~z|dHmphQLJ$mlut^t&cWjwbbOT{m7&!Cp2EX;%5lHf<#V}Vh
z_z#he?PxV=XM*!=bg)je8TIL(Pcu~)nXBm-5RBeJX<bny+lCe$I?r6qP~EPY%JI!=
z;EYN<UjLEeig1Ll`(J-?!%G!JkknV0TF_Upv;15qd~+hV!H2n;g*n0{u(={;_>y$q
z4G*8_a1Yg8@eyfnFiM=qGd?<fid7#hpGpsjyCFykJQItSY=Wf5R0125{tSCG3W77`
zgtNwfJANzL^*X?GAj>nf#D?7#+lX}|drW?4b$%9W7n|k2Pd9?*Ub^hqh*m`{g$t?j
zc_+3vuFTXI&ObaKef<tNW>=3q2=e39OX@LnNlDJ{z_rp;#gIwNT6Ab;&gmu`QyU%X
zHnH}XE1S^K2&tCc0d-7aRW#cPU3YfPcB!n2;=^I#90{J?QG7V*$PYjJx$_~q5d9r@
zbiZMZI;Q}Myy30MYx@E<{s3TfPuW!SDD0{Y?E$6LP}6p{KLCJzI_<Y4QJ6WG8q12c
zd0r0o$w_4iu<KCRm~s2jVHH|^yJ}$X11UNG9lsKM<ZZm8m^lhN;X<n^8(+}<{oNw}
zIs9pzvlvFS%(k*m9@~>H91aGsF%bjmG<8kYjhWtf&-KnjmC8e4rG>+f3nIl?XQ`xk
zL-G=}x2GtF?RJ!5bdHY0-T-f(@@~$PFU=;K$Xl5w5$h#q<S#15qF1#suylrYy$^Qa
zE(%K;ZrpT(JwF`tkwj*u3fi@_*n*WKad~%9;idT#_*D<TY?&u^qbqo99^gOw#C4s%
zAShcF^gG<4ewVq@wV<)lcp|gY2xdg~qz=)Au&hE4Zax;!X1dq^CC#^G7S=fUb}o}U
z)c$~`ngk#C23~o;>Nn~nnVYZK!t?-PBv1zLdv%#^O|dZD=*oxY?lG#66Etc$d77sc
z82Pj!nDn{#t8nNW5|ZTV4R_b88Q@JJ^DYVcOJLOI-ki`U69l~yM+;7Z=*a@i=fy~w
zBjT&@V5?Lo`L=)~Duu+VGh%wvDv#_;T+slyMWFJ!;k8caR1HD-`{)2_`<wA+HcPtB
Ykhyj!95{PVu+1~TC)m5`+r+~E126*!JOBUy

literal 0
HcmV?d00001

diff --git a/test/data/image/1x1.png b/test/data/image/1x1.png
new file mode 100644
index 0000000000000000000000000000000000000000..a3e71629295905dafa0d7d4c769ad57d32d4ff23
GIT binary patch
literal 106
zcmeAS@N?(olHy`uVBq!ia0vp^j3CU&3?x-=hn)gaYymzYu0Z<#|Nl#G&c6#}aTa()
v7BevL9RXp+soH$fKtV1~7sn8enaK%2HWLHmm%@}~Ko*0itDnm{r-UW|njsiP

literal 0
HcmV?d00001

diff --git a/test/unit/store_test.rb b/test/unit/store_test.rb
index 492fd313b..92b8657fc 100644
--- a/test/unit/store_test.rb
+++ b/test/unit/store_test.rb
@@ -151,4 +151,124 @@ class StoreTest < ActiveSupport::TestCase
       assert_not(attachments[0])
     end
   end
+
+  test 'test resizable' do
+
+    # not possible
+    store = Store.add(
+      object:        'SomeObject1',
+      o_id:          rand(1_234_567_890),
+      data:          File.binread(Rails.root.join('test', 'data', 'upload', 'upload1.txt')),
+      filename:      'test1.pdf',
+      preferences:   {
+        content_type: 'text/plain',
+        content_id:   234,
+      },
+      created_by_id: 1,
+    )
+    assert_not(store.preferences.key?(:resizable))
+    assert_not(store.preferences.key?(:content_inline))
+    assert_not(store.preferences.key?(:content_preview))
+    assert_raises(RuntimeError) do
+      store.content_inline
+    end
+    assert_raises(RuntimeError) do
+      store.content_preview
+    end
+
+    # not possible
+    store = Store.add(
+      object:        'SomeObject2',
+      o_id:          rand(1_234_567_890),
+      data:          File.binread(Rails.root.join('test', 'data', 'upload', 'upload1.txt')),
+      filename:      'test1.pdf',
+      preferences:   {
+        content_type: 'image/jpg',
+        content_id:   234,
+      },
+      created_by_id: 1,
+    )
+    assert_equal(store.preferences[:resizable], false)
+    assert_not(store.preferences.key?(:content_inline))
+    assert_not(store.preferences.key?(:content_preview))
+    assert_raises(RuntimeError) do
+      store.content_inline
+    end
+    assert_raises(RuntimeError) do
+      store.content_preview
+    end
+
+    # possible (preview and inline)
+    store = Store.add(
+      object:        'SomeObject3',
+      o_id:          rand(1_234_567_890),
+      data:          File.binread(Rails.root.join('test', 'data', 'upload', 'upload2.jpg')),
+      filename:      'test1.pdf',
+      preferences:   {
+        content_type: 'image/jpg',
+        content_id:   234,
+      },
+      created_by_id: 1,
+    )
+    assert_equal(store.preferences[:resizable], true)
+    assert_equal(store.preferences[:content_inline], true)
+    assert_equal(store.preferences[:content_preview], true)
+
+    temp_file = ::Tempfile.new.path
+    File.binwrite(temp_file, store.content_inline)
+    image = Rszr::Image.load(temp_file)
+    assert_equal(image.width, 1800)
+
+    temp_file = ::Tempfile.new.path
+    File.binwrite(temp_file, store.content_preview)
+    image = Rszr::Image.load(temp_file)
+    assert_equal(image.width, 200)
+
+    # possible (preview only)
+    store = Store.add(
+      object:        'SomeObject4',
+      o_id:          rand(1_234_567_890),
+      data:          File.binread(Rails.root.join('test', 'data', 'image', '1000x1000.png')),
+      filename:      'test1.png',
+      preferences:   {
+        content_type: 'image/png',
+        content_id:   234,
+      },
+      created_by_id: 1,
+    )
+    assert_equal(store.preferences[:resizable], true)
+    assert_nil(store.preferences[:content_inline])
+    assert_equal(store.preferences[:content_preview], true)
+    assert_raises(RuntimeError) do
+      store.content_inline
+    end
+
+    temp_file = ::Tempfile.new.path
+    File.binwrite(temp_file, store.content_preview)
+    image = Rszr::Image.load(temp_file)
+    assert_equal(image.width, 200)
+
+    # possible (now preview or inline needed)
+    store = Store.add(
+      object:        'SomeObject5',
+      o_id:          rand(1_234_567_890),
+      data:          File.binread(Rails.root.join('test', 'data', 'image', '1x1.png')),
+      filename:      'test1.png',
+      preferences:   {
+        content_type: 'image/png',
+        content_id:   234,
+      },
+      created_by_id: 1,
+    )
+    assert_equal(store.preferences[:resizable], true)
+    assert_nil(store.preferences[:content_inline])
+    assert_nil(store.preferences[:content_preview])
+    assert_raises(RuntimeError) do
+      store.content_inline
+    end
+    assert_raises(RuntimeError) do
+      store.content_preview
+    end
+
+  end
 end

From a2447fe4e3a153619d141069ce87d6e3272f8077 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 14 Feb 2019 06:57:28 +0100
Subject: [PATCH 7/9] Enabled debian 8 for packager.io again.

---
 .pkgr.yml | 11 +++++++++++
 1 file changed, 11 insertions(+)

diff --git a/.pkgr.yml b/.pkgr.yml
index b5b36456d..b5a6647c1 100644
--- a/.pkgr.yml
+++ b/.pkgr.yml
@@ -16,6 +16,17 @@ targets:
     build_dependencies:
       - http://download.fedoraproject.org/pub/epel/7/x86_64/Packages/i/imlib2-1.4.5-9.el7.x86_64.rpm
       - http://download.fedoraproject.org/pub/epel/7/x86_64/Packages/i/imlib2-devel-1.4.5-9.el7.x86_64.rpm
+  debian-8:
+    dependencies:
+      - curl
+      - elasticsearch
+      - nginx|apache2
+      - postgresql|mysql-server|mariadb-server|sqlite
+      - libimlib2
+      - libimlib2-dev
+    build_dependencies:
+      - libimlib2
+      - libimlib2-dev
   debian-9:
     dependencies:
       - curl

From 20104e9b2e51f9fd1a94ff734fa402563760f6a5 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@edenhofer.de>
Date: Thu, 14 Feb 2019 08:40:32 +0100
Subject: [PATCH 8/9] Updated to 2.10.0.

---
 CHANGELOG.md | 4 ++--
 VERSION      | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index da82b127a..954e06c0e 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,7 +1,7 @@
 # Change Log
 
-## [2.9.0](https://github.com/zammad/zammad/tree/2.9.0) (2018-xx-xx)
-[Full Changelog](https://github.com/zammad/zammad/compare/2.8.0...2.9.0)
+## [2.10.0](https://github.com/zammad/zammad/tree/2.10.0) (2019-xx-xx)
+[Full Changelog](https://github.com/zammad/zammad/compare/2.8.0...2.10.0)
 
 **Implemented enhancements:**
 
diff --git a/VERSION b/VERSION
index f4622d320..e9f1e3cea 100644
--- a/VERSION
+++ b/VERSION
@@ -1 +1 @@
-2.9.x
+2.10.x

From 76a4b66417b77b9dd8edc7ecd408d1a9a5be4530 Mon Sep 17 00:00:00 2001
From: Martin Edenhofer <me@znuny.com>
Date: Fri, 15 Feb 2019 16:45:48 +0100
Subject: [PATCH 9/9] Fixes issue #2478 - Unable to update ticket with IE11.

---
 app/assets/javascripts/app/controllers/ticket_zoom.coffee | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/app/assets/javascripts/app/controllers/ticket_zoom.coffee b/app/assets/javascripts/app/controllers/ticket_zoom.coffee
index 73fc47fc1..6df84a8b0 100644
--- a/app/assets/javascripts/app/controllers/ticket_zoom.coffee
+++ b/app/assets/javascripts/app/controllers/ticket_zoom.coffee
@@ -808,7 +808,8 @@ class App.TicketZoom extends App.Controller
     @autosaveStop()
 
     # validate ticket form using HTML5 validity check
-    if !@$('.edit').parent().get(0).reportValidity()
+    element = @$('.edit').parent().get(0)
+    if element && element.reportValidity && !element.reportValidity()
       @submitEnable(e)
       @autosaveStart()
       return