From 7823bfe50ee5695b451706b81066a5bda6c95ef4 Mon Sep 17 00:00:00 2001 From: "wurblzap%gmail.com" Date: Tue, 8 Nov 2005 13:34:37 +0000 Subject: [PATCH] Documentation patch for bug 126266: Use UTF-8 (Unicode) charset encoding for pages and email for NEW installations Patch by Marc Schumann r=colin.ogilvie --- webtools/bugzilla/docs/xml/security.xml | 37 ++++++++++++------------- 1 file changed, 17 insertions(+), 20 deletions(-) diff --git a/webtools/bugzilla/docs/xml/security.xml b/webtools/bugzilla/docs/xml/security.xml index b438fb3009c..9d53746c644 100644 --- a/webtools/bugzilla/docs/xml/security.xml +++ b/webtools/bugzilla/docs/xml/security.xml @@ -1,5 +1,5 @@ - + Bugzilla Security @@ -352,28 +352,25 @@ skip-networking
Prevent users injecting malicious Javascript - It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by + If you installed Bugzilla version 2.22 or later from scratch, + then the utf8 parameter is switched on by default. + This makes Bugzilla explicitly set the character encoding, following the - CERT advisory on this issue. - Making the change in will - prevent this problem. + url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a + CERT advisory recommending exactly this. + The following therefore does not apply to you; just keep + utf8 turned on. - - Forcing Bugzilla to output a charset - - Locate the following line in - Bugzilla/CGI.pm: - $self->charset(''); - and change it to: - $self->charset('UTF-8'); - - + If you've upgraded from an older version, then it may be possible + for a Bugzilla user to take advantage of character set encoding + ambiguities to inject HTML into Bugzilla comments. + This could include malicious scripts. + This is because due to internationalization concerns, we are unable to + turn the utf8 parameter on by default for upgraded + installations. + Turning it on manually will prevent this problem. +