Bitbucket 8.18+ will ship with some more secure default settings. One of these is the ability to upload plugins. This feature (intentionally) allows a SYS_ADMIN user to be able to upload an arbitrary plugin and is a feature most instances do not need. Beginning with Bitbucket 8.18 this feature will be disabled by default.

Specifically what will be changed is:

• The "Upload app" button on the "Manage Apps" page will no longer be present by default
• The REST API that permits a plugin be uploaded from the client will be disabled by default
• The REST API that permits a plugin be installed via a URL will only allow installation from Atlassian Marketplace by default.

However, it will still be possible to install and upgrade plugins from Atlassian Marketplace via the "Find new apps" page.

For instances that actually require the ability to upload plugins the following should be set in $BITBUCKET_HOME/shared/bitbucket.properties:

upm.plugin.upload.enabled=true

When upgrading an existing instance that needs this feature enabled, you can add this setting prior to upgrade