BugsSite/docs/html/security-bugzilla.html - WebKit - Git at Google

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
 <HTML
 ><HEAD
 ><TITLE
 >Bugzilla</TITLE
 ><META
 NAME="GENERATOR"
 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
 REL="HOME"
 TITLE="The Bugzilla Guide - 2.20.1
     Release"
 HREF="index.html"><LINK
 REL="UP"
 TITLE="Bugzilla Security"
 HREF="security.html"><LINK
 REL="PREVIOUS"
 TITLE="Webserver"
 HREF="security-webserver.html"><LINK
 REL="NEXT"
 TITLE="Customising Bugzilla"
 HREF="customization.html"></HEAD
 ><BODY
 CLASS="section"
 BGCOLOR="#FFFFFF"
 TEXT="#000000"
 LINK="#0000FF"
 VLINK="#840084"
 ALINK="#0000FF"
 ><DIV
 CLASS="NAVHEADER"
 ><TABLE
 SUMMARY="Header navigation table"
 WIDTH="100%"
 BORDER="0"
 CELLPADDING="0"
 CELLSPACING="0"
 ><TR
 ><TH
 COLSPAN="3"
 ALIGN="center"
 >The Bugzilla Guide - 2.20.1
     Release</TH
 ></TR
 ><TR
 ><TD
 WIDTH="10%"
 ALIGN="left"
 VALIGN="bottom"
 ><A
 HREF="security-webserver.html"
 ACCESSKEY="P"
 >Prev</A
 ></TD
 ><TD
 WIDTH="80%"
 ALIGN="center"
 VALIGN="bottom"
 >Chapter 4. Bugzilla Security</TD
 ><TD
 WIDTH="10%"
 ALIGN="right"
 VALIGN="bottom"
 ><A
 HREF="customization.html"
 ACCESSKEY="N"
 >Next</A
 ></TD
 ></TR
 ></TABLE
 ><HR
 ALIGN="LEFT"
 WIDTH="100%"></DIV
 ><DIV
 CLASS="section"
 ><H1
 CLASS="section"
 ><A
 NAME="security-bugzilla"
 >4.4. Bugzilla</A
 ></H1
 ><DIV
 CLASS="section"
 ><H2
 CLASS="section"
 ><A
 NAME="security-bugzilla-charset"
 >4.4.1. Prevent users injecting malicious Javascript</A
 ></H2
 ><P
 >It is possible for a Bugzilla user to take advantage of character
       set encoding ambiguities to inject HTML into Bugzilla comments. This
       could include malicious scripts.
       Due to internationalization concerns, we are unable to
       incorporate by default the code changes suggested by
       <A
 HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"
 TARGET="_top"
 >the
       CERT advisory</A
 > on this issue.
       Making the change in <A
 HREF="security-bugzilla.html#security-bugzilla-charset-ex"
 >Example 4-4</A
 > will
       prevent this problem.
       </P
 ><DIV
 CLASS="example"
 ><A
 NAME="security-bugzilla-charset-ex"
 ></A
 ><P
 ><B
 >Example 4-4. Forcing Bugzilla to output a charset</B
 ></P
 ><P
 >Locate the following line in
         <TT
 CLASS="filename"
 >Bugzilla/CGI.pm</TT
 >:
         <TABLE
 BORDER="0"
 BGCOLOR="#E0E0E0"
 WIDTH="100%"
 ><TR
 ><TD
 ><FONT
 COLOR="#000000"
 ><PRE
 CLASS="programlisting"
 >$self-&#62;charset('');</PRE
 ></FONT
 ></TD
 ></TR
 ></TABLE
 >
         and change it to:
         <TABLE
 BORDER="0"
 BGCOLOR="#E0E0E0"
 WIDTH="100%"
 ><TR
 ><TD
 ><FONT
 COLOR="#000000"
 ><PRE
 CLASS="programlisting"
 >$self-&#62;charset('UTF-8');</PRE
 ></FONT
 ></TD
 ></TR
 ></TABLE
 >
         </P
 ></DIV
 ></DIV
 ></DIV
 ><DIV
 CLASS="NAVFOOTER"
 ><HR
 ALIGN="LEFT"
 WIDTH="100%"><TABLE
 SUMMARY="Footer navigation table"
 WIDTH="100%"
 BORDER="0"
 CELLPADDING="0"
 CELLSPACING="0"
 ><TR
 ><TD
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
 ><A
 HREF="security-webserver.html"
 ACCESSKEY="P"
 >Prev</A
 ></TD
 ><TD
 WIDTH="34%"
 ALIGN="center"
 VALIGN="top"
 ><A
 HREF="index.html"
 ACCESSKEY="H"
 >Home</A
 ></TD
 ><TD
 WIDTH="33%"
 ALIGN="right"
 VALIGN="top"
 ><A
 HREF="customization.html"
 ACCESSKEY="N"
 >Next</A
 ></TD
 ></TR
 ><TR
 ><TD
 WIDTH="33%"
 ALIGN="left"
 VALIGN="top"
 >Webserver</TD
 ><TD
 WIDTH="34%"
 ALIGN="center"
 VALIGN="top"
 ><A
 HREF="security.html"
 ACCESSKEY="U"
 >Up</A
 ></TD
 ><TD
 WIDTH="33%"
 ALIGN="right"
 VALIGN="top"
 >Customising Bugzilla</TD
 ></TR
 ></TABLE
 ></DIV
 ></BODY
 ></HTML
 >
	<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
	<HTML
	><HEAD
	><TITLE
	>Bugzilla</TITLE
	><META
	NAME="GENERATOR"
	CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
	REL="HOME"
	TITLE="The Bugzilla Guide - 2.20.1
	Release"
	HREF="index.html"><LINK
	REL="UP"
	TITLE="Bugzilla Security"
	HREF="security.html"><LINK
	REL="PREVIOUS"
	TITLE="Webserver"
	HREF="security-webserver.html"><LINK
	REL="NEXT"
	TITLE="Customising Bugzilla"
	HREF="customization.html"></HEAD
	><BODY
	CLASS="section"
	BGCOLOR="#FFFFFF"
	TEXT="#000000"
	LINK="#0000FF"
	VLINK="#840084"
	ALINK="#0000FF"
	><DIV
	CLASS="NAVHEADER"
	><TABLE
	SUMMARY="Header navigation table"
	WIDTH="100%"
	BORDER="0"
	CELLPADDING="0"
	CELLSPACING="0"
	><TR
	><TH
	COLSPAN="3"
	ALIGN="center"
	>The Bugzilla Guide - 2.20.1
	Release</TH
	></TR
	><TR
	><TD
	WIDTH="10%"
	ALIGN="left"
	VALIGN="bottom"
	><A
	HREF="security-webserver.html"
	ACCESSKEY="P"
	>Prev</A
	></TD
	><TD
	WIDTH="80%"
	ALIGN="center"
	VALIGN="bottom"
	>Chapter 4. Bugzilla Security</TD
	><TD
	WIDTH="10%"
	ALIGN="right"
	VALIGN="bottom"
	><A
	HREF="customization.html"
	ACCESSKEY="N"
	>Next</A
	></TD
	></TR
	></TABLE
	><HR
	ALIGN="LEFT"
	WIDTH="100%"></DIV
	><DIV
	CLASS="section"
	><H1
	CLASS="section"
	><A
	NAME="security-bugzilla"
	>4.4. Bugzilla</A
	></H1
	><DIV
	CLASS="section"
	><H2
	CLASS="section"
	><A
	NAME="security-bugzilla-charset"
	>4.4.1. Prevent users injecting malicious Javascript</A
	></H2
	><P
	>It is possible for a Bugzilla user to take advantage of character
	set encoding ambiguities to inject HTML into Bugzilla comments. This
	could include malicious scripts.
	Due to internationalization concerns, we are unable to
	incorporate by default the code changes suggested by
	<A
	HREF="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3"
	TARGET="_top"
	>the
	CERT advisory</A
	> on this issue.
	Making the change in <A
	HREF="security-bugzilla.html#security-bugzilla-charset-ex"
	>Example 4-4</A
	> will
	prevent this problem.
	</P
	><DIV
	CLASS="example"
	><A
	NAME="security-bugzilla-charset-ex"
	></A
	><P
	><B
	>Example 4-4. Forcing Bugzilla to output a charset</B
	></P
	><P
	>Locate the following line in
	<TT
	CLASS="filename"
	>Bugzilla/CGI.pm</TT
	>:
	<TABLE
	BORDER="0"
	BGCOLOR="#E0E0E0"
	WIDTH="100%"
	><TR
	><TD
	><FONT
	COLOR="#000000"
	><PRE
	CLASS="programlisting"
	>$self->charset('');</PRE
	></FONT
	></TD
	></TR
	></TABLE
	>
	and change it to:
	<TABLE
	BORDER="0"
	BGCOLOR="#E0E0E0"
	WIDTH="100%"
	><TR
	><TD
	><FONT
	COLOR="#000000"
	><PRE
	CLASS="programlisting"
	>$self->charset('UTF-8');</PRE
	></FONT
	></TD
	></TR
	></TABLE
	>
	</P
	></DIV
	></DIV
	></DIV
	><DIV
	CLASS="NAVFOOTER"
	><HR
	ALIGN="LEFT"
	WIDTH="100%"><TABLE
	SUMMARY="Footer navigation table"
	WIDTH="100%"
	BORDER="0"
	CELLPADDING="0"
	CELLSPACING="0"
	><TR
	><TD
	WIDTH="33%"
	ALIGN="left"
	VALIGN="top"
	><A
	HREF="security-webserver.html"
	ACCESSKEY="P"
	>Prev</A
	></TD
	><TD
	WIDTH="34%"
	ALIGN="center"
	VALIGN="top"
	><A
	HREF="index.html"
	ACCESSKEY="H"
	>Home</A
	></TD
	><TD
	WIDTH="33%"
	ALIGN="right"
	VALIGN="top"
	><A
	HREF="customization.html"
	ACCESSKEY="N"
	>Next</A
	></TD
	></TR
	><TR
	><TD
	WIDTH="33%"
	ALIGN="left"
	VALIGN="top"
	>Webserver</TD
	><TD
	WIDTH="34%"
	ALIGN="center"
	VALIGN="top"
	><A
	HREF="security.html"
	ACCESSKEY="U"
	>Up</A
	></TD
	><TD
	WIDTH="33%"
	ALIGN="right"
	VALIGN="top"
	>Customising Bugzilla</TD
	></TR
	></TABLE
	></DIV
	></BODY
	></HTML
	>