diff options
author | Dylan William Hardison <dylan@hardison.net> | 2017-12-16 20:17:05 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-12-16 20:17:05 +0100 |
commit | 334bead74bc9c5e819f14946726eaad40986d636 (patch) | |
tree | e7ecf8d4eba2e6a046da8a9dc8828f35b75c7428 /template/en/default | |
parent | 49e0df0d4e1b2f25be4ab36660dac5e47768c9a1 (diff) | |
download | bugzilla-334bead74bc9c5e819f14946726eaad40986d636.tar.gz bugzilla-334bead74bc9c5e819f14946726eaad40986d636.tar.xz |
Bug 1403777 - Migrate urlbase from params to localconfig
Diffstat (limited to 'template/en/default')
-rw-r--r-- | template/en/default/admin/params/advanced.html.tmpl | 13 | ||||
-rw-r--r-- | template/en/default/admin/params/attachment.html.tmpl | 22 | ||||
-rw-r--r-- | template/en/default/admin/params/core.html.tmpl | 48 | ||||
-rw-r--r-- | template/en/default/global/header.html.tmpl | 1 | ||||
-rw-r--r-- | template/en/default/robots.txt.tmpl | 2 | ||||
-rw-r--r-- | template/en/default/setup/strings.txt.pl | 23 | ||||
-rw-r--r-- | template/en/default/welcome-admin.html.tmpl | 8 |
7 files changed, 26 insertions, 91 deletions
diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl index a23c602ae..75885b3f4 100644 --- a/template/en/default/admin/params/advanced.html.tmpl +++ b/template/en/default/admin/params/advanced.html.tmpl @@ -19,7 +19,7 @@ # Frédéric Buclin <LpSolit@gmail.com> #%] -[% +[% title = "Advanced" desc = "Settings for advanced configurations." %] @@ -29,7 +29,7 @@ <a href="https://en.wikipedia.org/wiki/HTTP_Strict_Transport_Security">Strict-Transport-Security</a> header along with HTTP responses on SSL connections. This adds greater security to your SSL connections by forcing the browser to always - access your domain over SSL and never accept an invalid certificate. + access your domain over SSL and never accept an invalid certificate. However, it should only be used if you have the <code>ssl_redirect</code> parameter turned on, [% terms.Bugzilla %] is the only thing running on its domain (i.e., your <code>urlbase</code> is something like @@ -54,13 +54,6 @@ [% END %] [% param_descs = { - cookiedomain => - "If your website is at 'www.foo.com', setting this to" - _ " '.foo.com' will also allow 'bar.foo.com' to access" - _ " $terms.Bugzilla cookies. This is useful if you have more than" - _ " one hostname pointing at the same web server, and you" - _ " want them to share the $terms.Bugzilla cookie.", - inbound_proxies => "When inbound traffic to $terms.Bugzilla goes through a proxy," _ " $terms.Bugzilla thinks that the IP address of every single" @@ -71,7 +64,7 @@ _ " If set to a *, $terms.Bugzilla will trust the first value in the " _ " X-Forwarded-For header.", - proxy_url => + proxy_url => "$terms.Bugzilla may have to access the web to get notifications about" _ " new releases (see the <tt>upgrade_notification</tt> parameter)." _ " If your $terms.Bugzilla server is behind a proxy, it may be" diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index bdd20c676..0858a1044 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -35,28 +35,6 @@ _ "<p>It is highly recommended that you set the <tt>attachment_base</tt>" _ " parameter if you turn this parameter on.", - attachment_base => - "When the <tt>allow_attachment_display</tt> parameter is on, it is " - _ " possible for a malicious attachment to steal your cookies or" - _ " perform an attack on $terms.Bugzilla using your credentials." - _ "<p>If you would like additional security on attachments to avoid" - _ " this, set this parameter to an alternate URL for your $terms.Bugzilla" - _ " that is not the same as <tt>urlbase</tt> or <tt>sslbase</tt>." - _ " That is, a different domain name that resolves to this exact" - _ " same $terms.Bugzilla installation.</p>" - _ "<p>Note that if you have set the" - _ " <a href=\"editparams.cgi?section=advanced#cookiedomain_desc\"><tt>cookiedomain</tt>" - _" parameter</a>, you should set <tt>attachment_base</tt> to use a" - _ " domain that would <em>not</em> be matched by" - _ " <tt>cookiedomain</tt>.</p>" - _ "<p>For added security, you can insert <tt>%bugid%</tt> into the URL," - _ " which will be replaced with the ID of the current $terms.bug that" - _ " the attachment is on, when you access an attachment. This will limit" - _ " attachments to accessing only other attachments on the same" - _ " ${terms.bug}. Remember, though, that all those possible domain names " - _ " (such as <tt>1234.your.domain.com</tt>) must point to this same" - _ " $terms.Bugzilla instance.", - allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", diff --git a/template/en/default/admin/params/core.html.tmpl b/template/en/default/admin/params/core.html.tmpl deleted file mode 100644 index b1578f422..000000000 --- a/template/en/default/admin/params/core.html.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Netscape Communications - # Corporation. Portions created by Netscape are - # Copyright (C) 1998 Netscape Communications Corporation. All - # Rights Reserved. - # - # Contributor(s): Dave Miller <justdave@bugzilla.org> - # Frédéric Buclin <LpSolit@gmail.com> - #%] - -[% - title = "Required Settings" - desc = "Settings that are required for proper operation of $terms.Bugzilla" -%] - -[% param_descs = { - urlbase => "The URL that is the common initial leading part of all $terms.Bugzilla " _ - "URLs.", - - sslbase => "The URL that is the common initial leading part of all HTTPS " _ - "(SSL) $terms.Bugzilla URLs.", - - ssl_redirect => - "When this is enabled, $terms.Bugzilla will ensure that every page is" - _ " accessed over SSL, by redirecting any plain HTTP requests to HTTPS" - _ " using the <tt>sslbase</tt> parameter. Also, when this is enabled," - _ " $terms.Bugzilla will send out links using <tt>sslbase</tt> in emails" - _ " instead of <tt>urlbase</tt>.", - - cookiepath => "Path, relative to your web document root, to which to restrict " _ - "$terms.Bugzilla cookies. Normally this is the URI portion of your URL " _ - "base. Begin with a / (single slash mark). For instance, if " _ - "$terms.Bugzilla serves from 'http://www.somedomain.com/bugzilla/', set " _ - "this parameter to /bugzilla/. Setting it to / will allow " _ - "all sites served by this web server or virtual host to read " _ - "$terms.Bugzilla cookies.", -} %] diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index a7aed895e..9baecbb53 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -96,7 +96,6 @@ <head> [%- js_BUGZILLA = { param => { - cookiepath => Param('cookiepath'), maxusermatches => Param('maxusermatches'), }, constant => { diff --git a/template/en/default/robots.txt.tmpl b/template/en/default/robots.txt.tmpl index c4948efe5..7ef83c0f1 100644 --- a/template/en/default/robots.txt.tmpl +++ b/template/en/default/robots.txt.tmpl @@ -2,7 +2,7 @@ User-agent: * Disallow: / Crawl-delay: 30 -[% IF NOT urlbase.matches("bugzilla-dev") %] +[% IF NOT Bugzilla.localconfig.urlbase.matches("bugzilla-dev") %] Allow: /$ Allow: /index.cgi diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl index 9a8e3b9d1..35a771ff3 100644 --- a/template/en/default/setup/strings.txt.pl +++ b/template/en/default/setup/strings.txt.pl @@ -106,6 +106,24 @@ END The following variables are no longer used in ##localconfig##, and have been moved to ##old_file##: ##vars## END + localconfig_attachment_base => <<'END', +When the runtime allow_attachment_display parameter is on, it is +possible for a malicious attachment to steal your cookies or +perform an attack using your credentials. + +If you would like additional security on attachments to avoid +this, set this parameter to an alternate URL for your $terms.Bugzilla +that is not the same as urlbase. +That is, a different domain name that resolves to this exact +same installation. + +For added security, you can insert %bugid% into the URL, +which will be replaced with the ID of the current bug that +the attachment is on, when you access an attachment. This will limit +attachments to accessing only other attachments on the same +bug. Remember, though, that all those possible domain names + must point to this same instance. +END localconfig_create_htaccess => <<'END', If you are using Apache as your web server, Bugzilla can create .htaccess files for you, which will keep this file (localconfig) and other @@ -180,7 +198,7 @@ here. END localconfig_memcached_servers => <<'END', If this option is set, Bugzilla will integrate with Memcached. -Specify one or more servers, separated by spaces, using hostname:port +Specify one or more servers, separated by spaces, using hostname:port notation (for example: 127.0.0.1:11211). END localconfig_memcached_namespace => <<'END', @@ -198,6 +216,9 @@ This hash is used by BMO to override select data/params values on a per-webhead basis. Keys set to undef will default to the value in data/params. Only the keys listed below can be overridden. END + localconfig_urlbase => <<'END', +The URL that is the common initial leading part of all URLs. +END localconfig_use_suexec => <<'END', Set this to 1 if Bugzilla runs in an Apache SuexecUserGroup environment. diff --git a/template/en/default/welcome-admin.html.tmpl b/template/en/default/welcome-admin.html.tmpl index e37008fc7..11d70a6ea 100644 --- a/template/en/default/welcome-admin.html.tmpl +++ b/template/en/default/welcome-admin.html.tmpl @@ -40,14 +40,6 @@ parameters for this installation; among others:</p> <ul> - <li><a href="editparams.cgi?section=core#urlbase_desc">urlbase</a>, which is the URL - pointing to this installation and which will be used in emails (which is also the - reason you see this page: as long as this parameter is not set, you will see this - page again and again).</li> - - <li><a href="editparams.cgi?section=core#cookiepath_desc">cookiepath</a> is important - for your browser to manage your cookies correctly.</li> - <li><a href="editparams.cgi?section=general#maintainer_desc">maintainer</a>, the person responsible for this installation if something is running wrongly.</li> |