Symptoms

JIRA System Administrators are unable to restore from a backup and the following message is displayed at the top of Administration > Restore Data from XML:

Changing the attachment, index, backup or restore settings is not allowed for security reasons. You must edit jira-application.properties and explicitly set 'jira.paths.set.allowed=true'. Restart JIRA and then the path settings will be able to be changed.

Cause

This is a warning introduced in JIRA Security Advisory 2010-04-16 patch. This warning is to inform the JIRA Administrator that it is not possible to specify the path for the backup XML file, or perform the backup process, while the jira.paths.set.allowed property is set to false.

If you have set 'jira.paths.set.allowed=true' in your jira-application.properties file, you will instead get the message:

You have enabled the ability to change attachment, index, backup or restore path settings from within JIRA. Having this setting on can cause a known security risk. See [JRA-21004@JIRA] for more details

To re-enable stronger security, edit jira-application.properties and explicitly set 'jira.paths.set.allowed=false'. Restart JIRA and then the path settings will be NOT able to be changed.

This warning informs your administrators that their instance may be vulnerable.

Workaround

In order to restore a backup jira.paths.set.allowed in <JIRA-INSTALL>/atlassian-jira/WEB-INF/classes/jira-application.properties must be set to true. The relevant portion of the modified file should look like this:

jira.paths.set.allowed=true

After restarting JIRA, it should be possible to proceed with the restore.

Solution

Upgrade to JIRA 4.2 or later. This property is no longer needed.