diff options
author | mozilla%colinogilvie.co.uk <> | 2008-04-04 13:47:38 +0200 |
---|---|---|
committer | mozilla%colinogilvie.co.uk <> | 2008-04-04 13:47:38 +0200 |
commit | 164b989ee0e92922fa031e870836a30d1a7cc39c (patch) | |
tree | 438757aa5d3484a6615d4f5ee7110311d1470029 /docs/en/xml/security.xml | |
parent | 6e7c6391dbafabaa3028c4fb05e5e6dbe23d167d (diff) | |
download | bugzilla-164b989ee0e92922fa031e870836a30d1a7cc39c.tar.gz bugzilla-164b989ee0e92922fa031e870836a30d1a7cc39c.tar.xz |
Bug 232378: switch from entities to XIncludes for inclusion of modular docs files
Patch by Colin Ogilvie <colin.ogilvie@gmail.com>; r=vladd
Diffstat (limited to 'docs/en/xml/security.xml')
-rw-r--r-- | docs/en/xml/security.xml | 51 |
1 files changed, 22 insertions, 29 deletions
diff --git a/docs/en/xml/security.xml b/docs/en/xml/security.xml index bc8aae657..a1f2f5770 100644 --- a/docs/en/xml/security.xml +++ b/docs/en/xml/security.xml @@ -1,5 +1,9 @@ -<!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> --> -<!-- $Id: security.xml,v 1.6 2008/04/04 06:48:13 zach%zachlipton.com Exp $ --> +<?xml version="1.0"?> +<!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd" [ + <!ENTITY % myents SYSTEM "bugzilla.ent"> + %myents; +]> <chapter id="security"> <title>Bugzilla Security</title> @@ -207,14 +211,6 @@ skip-networking </simplelist> </para> </listitem> - <listitem> - <para>But allow: - <simplelist type="inline"> - <member><filename>localconfig.js</filename></member> - <member><filename>localconfig.rdf</filename></member> - </simplelist> - </para> - </listitem> </itemizedlist> </listitem> @@ -360,28 +356,25 @@ skip-networking <section id="security-bugzilla-charset"> <title>Prevent users injecting malicious Javascript</title> - <para>It is possible for a Bugzilla user to take advantage of character - set encoding ambiguities to inject HTML into Bugzilla comments. This - could include malicious scripts. - Due to internationalization concerns, we are unable to - incorporate by default the code changes suggested by + <para>If you installed Bugzilla version 2.22 or later from scratch, + then the <emphasis>utf8</emphasis> parameter is switched on by default. + This makes Bugzilla explicitly set the character encoding, following <ulink - url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">the - CERT advisory</ulink> on this issue. - Making the change in <xref linkend="security-bugzilla-charset-ex"/> will - prevent this problem. + url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a + CERT advisory</ulink> recommending exactly this. + The following therefore does not apply to you; just keep + <emphasis>utf8</emphasis> turned on. </para> - <example id="security-bugzilla-charset-ex"> - <title>Forcing Bugzilla to output a charset</title> - - <para>Locate the following line in - <filename>Bugzilla/CGI.pm</filename>: - <programlisting>$self->charset('');</programlisting> - and change it to: - <programlisting>$self->charset('UTF-8');</programlisting> - </para> - </example> + <para>If you've upgraded from an older version, then it may be possible + for a Bugzilla user to take advantage of character set encoding + ambiguities to inject HTML into Bugzilla comments. + This could include malicious scripts. + This is because due to internationalization concerns, we are unable to + turn the <emphasis>utf8</emphasis> parameter on by default for upgraded + installations. + Turning it on manually will prevent this problem. + </para> </section> </section> |