diff options
author | lpsolit%gmail.com <> | 2009-02-02 19:21:33 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 19:21:33 +0100 |
commit | 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (patch) | |
tree | cc80d283ac39c08f00620b66a6fc991c5c3ad857 /template/en/default/admin | |
parent | b23648ca247167be26f1b51bd592b29309ebbc63 (diff) | |
download | bugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.gz bugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.xz |
Bug 38862: [SECURITY] attachments should be at a different hostname - Patch by Byron Jones <bugzilla@glob.com.au> and Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'template/en/default/admin')
-rw-r--r-- | template/en/default/admin/params/attachment.html.tmpl | 18 |
1 files changed, 18 insertions, 0 deletions
diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index ef3363bbb..7c0b52472 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -24,6 +24,24 @@ %] [% param_descs = { + attachment_base => "It is possible for a malicious attachment to steal your " _ + "cookies or access other attachments to perform an attack " _ + "on the user.<p>" _ + "If you would like additional security on attachments " _ + "to avoid this, set this parameter to an alternate URL " _ + "for your $terms.Bugzilla that is not the same as " _ + "<tt>urlbase</tt> or <tt>sslbase</tt>. That is, a different " _ + "domain name that resolves to this exact same $terms.Bugzilla " _ + "installation.<p>" _ + "For added security, you can insert <tt>%bugid%</tt> into " _ + "the URL, which will be replaced with the ID of the current " _ + "$terms.bug that the attachment is on, when you access " _ + "an attachment. This will limit attachments to accessing " _ + "only other attachments on the same ${terms.bug}. " _ + "Remember, though, that all those possible domain names " _ + "(such as <tt>1234.your.domain.com</tt>) must point to " _ + "this same $terms.Bugzilla instance." + allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", |