184 lines
3.0 KiB
HTML
184 lines
3.0 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
|
|
<HTML
|
|
><HEAD
|
|
><TITLE
|
|
>Bugzilla</TITLE
|
|
><META
|
|
NAME="GENERATOR"
|
|
CONTENT="Modular DocBook HTML Stylesheet Version 1.79"><LINK
|
|
REL="HOME"
|
|
TITLE="The Bugzilla Guide - 3.6.1
|
|
Release"
|
|
HREF="index.html"><LINK
|
|
REL="UP"
|
|
TITLE="Bugzilla Security"
|
|
HREF="security.html"><LINK
|
|
REL="PREVIOUS"
|
|
TITLE="Web server"
|
|
HREF="security-webserver.html"><LINK
|
|
REL="NEXT"
|
|
TITLE="Using Bugzilla"
|
|
HREF="using.html"></HEAD
|
|
><BODY
|
|
CLASS="section"
|
|
BGCOLOR="#FFFFFF"
|
|
TEXT="#000000"
|
|
LINK="#0000FF"
|
|
VLINK="#840084"
|
|
ALINK="#0000FF"
|
|
><DIV
|
|
CLASS="NAVHEADER"
|
|
><TABLE
|
|
SUMMARY="Header navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TH
|
|
COLSPAN="3"
|
|
ALIGN="center"
|
|
>The Bugzilla Guide - 3.6.1
|
|
Release</TH
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="left"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="security-webserver.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="80%"
|
|
ALIGN="center"
|
|
VALIGN="bottom"
|
|
>Chapter 4. Bugzilla Security</TD
|
|
><TD
|
|
WIDTH="10%"
|
|
ALIGN="right"
|
|
VALIGN="bottom"
|
|
><A
|
|
HREF="using.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
></TABLE
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"></DIV
|
|
><DIV
|
|
CLASS="section"
|
|
><H1
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-bugzilla"
|
|
>4.3. Bugzilla</A
|
|
></H1
|
|
><DIV
|
|
CLASS="section"
|
|
><H2
|
|
CLASS="section"
|
|
><A
|
|
NAME="security-bugzilla-charset"
|
|
>4.3.1. Prevent users injecting malicious Javascript</A
|
|
></H2
|
|
><P
|
|
>If you installed Bugzilla version 2.22 or later from scratch,
|
|
then the <EM
|
|
>utf8</EM
|
|
> parameter is switched on by default.
|
|
This makes Bugzilla explicitly set the character encoding, following
|
|
<A
|
|
HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"
|
|
TARGET="_top"
|
|
>a
|
|
CERT advisory</A
|
|
> recommending exactly this.
|
|
The following therefore does not apply to you; just keep
|
|
<EM
|
|
>utf8</EM
|
|
> turned on.
|
|
</P
|
|
><P
|
|
>If you've upgraded from an older version, then it may be possible
|
|
for a Bugzilla user to take advantage of character set encoding
|
|
ambiguities to inject HTML into Bugzilla comments.
|
|
This could include malicious scripts.
|
|
This is because due to internationalization concerns, we are unable to
|
|
turn the <EM
|
|
>utf8</EM
|
|
> parameter on by default for upgraded
|
|
installations.
|
|
Turning it on manually will prevent this problem.
|
|
</P
|
|
></DIV
|
|
></DIV
|
|
><DIV
|
|
CLASS="NAVFOOTER"
|
|
><HR
|
|
ALIGN="LEFT"
|
|
WIDTH="100%"><TABLE
|
|
SUMMARY="Footer navigation table"
|
|
WIDTH="100%"
|
|
BORDER="0"
|
|
CELLPADDING="0"
|
|
CELLSPACING="0"
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security-webserver.html"
|
|
ACCESSKEY="P"
|
|
>Prev</A
|
|
></TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="index.html"
|
|
ACCESSKEY="H"
|
|
>Home</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="using.html"
|
|
ACCESSKEY="N"
|
|
>Next</A
|
|
></TD
|
|
></TR
|
|
><TR
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="left"
|
|
VALIGN="top"
|
|
>Web server</TD
|
|
><TD
|
|
WIDTH="34%"
|
|
ALIGN="center"
|
|
VALIGN="top"
|
|
><A
|
|
HREF="security.html"
|
|
ACCESSKEY="U"
|
|
>Up</A
|
|
></TD
|
|
><TD
|
|
WIDTH="33%"
|
|
ALIGN="right"
|
|
VALIGN="top"
|
|
>Using Bugzilla</TD
|
|
></TR
|
|
></TABLE
|
|
></DIV
|
|
></BODY
|
|
></HTML
|
|
> |