зеркало из https://github.com/mozilla/pjs.git
Documentation patch for bug 126266: Use UTF-8 (Unicode) charset encoding for pages and email for NEW installations
Patch by Marc Schumann <wurblzap@gmail.com> r=colin.ogilvie
This commit is contained in:
wurblzap%gmail.com
Родитель
0e3754138e
Коммит
7823bfe50e
|
|
@ -1,5 +1,5 @@
|
||||||
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
|
<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
|
||||||
<!-- $Id: security.xml,v 1.7 2005-08-21 18:16:41 lpsolit%gmail.com Exp $ -->
|
<!-- $Id: security.xml,v 1.8 2005-11-08 13:34:37 wurblzap%gmail.com Exp $ -->
|
||||||
|
|
||||||
<chapter id="security">
|
<chapter id="security">
|
||||||
<title>Bugzilla Security</title>
|
<title>Bugzilla Security</title>
|
||||||
|
|
@ -352,28 +352,25 @@ skip-networking
|
||||||
<section id="security-bugzilla-charset">
|
<section id="security-bugzilla-charset">
|
||||||
<title>Prevent users injecting malicious Javascript</title>
|
<title>Prevent users injecting malicious Javascript</title>
|
||||||
|
|
||||||
<para>It is possible for a Bugzilla user to take advantage of character
|
<para>If you installed Bugzilla version 2.22 or later from scratch,
|
||||||
set encoding ambiguities to inject HTML into Bugzilla comments. This
|
then the <emphasis>utf8</emphasis> parameter is switched on by default.
|
||||||
could include malicious scripts.
|
This makes Bugzilla explicitly set the character encoding, following
|
||||||
Due to internationalization concerns, we are unable to
|
|
||||||
incorporate by default the code changes suggested by
|
|
||||||
<ulink
|
<ulink
|
||||||
url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">the
|
url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a
|
||||||
CERT advisory</ulink> on this issue.
|
CERT advisory</ulink> recommending exactly this.
|
||||||
Making the change in <xref linkend="security-bugzilla-charset-ex"/> will
|
The following therefore does not apply to you; just keep
|
||||||
prevent this problem.
|
<emphasis>utf8</emphasis> turned on.
|
||||||
</para>
|
</para>
|
||||||
|
|
||||||
<example id="security-bugzilla-charset-ex">
|
<para>If you've upgraded from an older version, then it may be possible
|
||||||
<title>Forcing Bugzilla to output a charset</title>
|
for a Bugzilla user to take advantage of character set encoding
|
||||||
|
ambiguities to inject HTML into Bugzilla comments.
|
||||||
<para>Locate the following line in
|
This could include malicious scripts.
|
||||||
<filename>Bugzilla/CGI.pm</filename>:
|
This is because due to internationalization concerns, we are unable to
|
||||||
<programlisting>$self->charset('');</programlisting>
|
turn the <emphasis>utf8</emphasis> parameter on by default for upgraded
|
||||||
and change it to:
|
installations.
|
||||||
<programlisting>$self->charset('UTF-8');</programlisting>
|
Turning it on manually will prevent this problem.
|
||||||
</para>
|
</para>
|
||||||
</example>
|
|
||||||
</section>
|
</section>
|
||||||
|
|
||||||
</section>
|
</section>
|
||||||
|
|
|
||||||
Загрузка…
Ссылка в новой задаче