From 9c49307f5c2f5a67ab5b3b1270cc83b30efa8637 Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 19:10:32 +0000 Subject: Bug 472206: [SECURITY] Bugzilla should optionally not allow the user to view possibly harmful attachments - Patch by Frédéric Buclin r=mkanat r=justdave a=LpSolit MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla/Config/Attachment.pm | 8 +++- attachment.cgi | 4 +- .../en/default/admin/params/attachment.html.tmpl | 49 ++++++++++++++-------- template/en/default/attachment/edit.html.tmpl | 11 +++++ template/en/default/attachment/list.html.tmpl | 6 ++- 5 files changed, 57 insertions(+), 21 deletions(-) diff --git a/Bugzilla/Config/Attachment.pm b/Bugzilla/Config/Attachment.pm index 17dbe4068..2b014deda 100644 --- a/Bugzilla/Config/Attachment.pm +++ b/Bugzilla/Config/Attachment.pm @@ -40,7 +40,13 @@ $Bugzilla::Config::Attachment::sortkey = "025"; sub get_param_list { my $class = shift; my @param_list = ( - { + { + name => 'allow_attachment_display', + type => 'b', + default => 0 + }, + + { name => 'attachment_base', type => 't', default => '', diff --git a/attachment.cgi b/attachment.cgi index f1753261d..16615abae 100755 --- a/attachment.cgi +++ b/attachment.cgi @@ -332,8 +332,10 @@ sub view { $filename =~ s/\\/\\\\/g; # escape backslashes $filename =~ s/"/\\"/g; # escape quotes + my $disposition = Bugzilla->params->{'allow_attachment_display'} ? 'inline' : 'attachment'; + print $cgi->header(-type=>"$contenttype; name=\"$filename\"", - -content_disposition=> "inline; filename=\"$filename\"", + -content_disposition=> "$disposition; filename=\"$filename\"", -content_length => $attachment->datasize); disable_utf8(); print $attachment->data; diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index 7c0b52472..39f60470e 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -24,23 +24,38 @@ %] [% param_descs = { - attachment_base => "It is possible for a malicious attachment to steal your " _ - "cookies or access other attachments to perform an attack " _ - "on the user.

" _ - "If you would like additional security on attachments " _ - "to avoid this, set this parameter to an alternate URL " _ - "for your $terms.Bugzilla that is not the same as " _ - "urlbase or sslbase. That is, a different " _ - "domain name that resolves to this exact same $terms.Bugzilla " _ - "installation.

" _ - "For added security, you can insert %bugid% into " _ - "the URL, which will be replaced with the ID of the current " _ - "$terms.bug that the attachment is on, when you access " _ - "an attachment. This will limit attachments to accessing " _ - "only other attachments on the same ${terms.bug}. " _ - "Remember, though, that all those possible domain names " _ - "(such as 1234.your.domain.com) must point to " _ - "this same $terms.Bugzilla instance." + allow_attachment_display => + "If this option is on, users will be able to view attachments from" + _ " their browser, if their browser supports the attachment's MIME type." + _ " If this option is off, users are forced to download attachments," + _ " even if the browser is able to display them." + _ "

This is a security restriction for installations where untrusted" + _ " users may upload attachments that could be potentially damaging if" + _ " viewed directly in the browser.

" + _ "

It is highly recommended that you set the attachment_base" + _ " parameter if you turn this parameter on.", + + attachment_base => + "When the allow_attachment_display parameter is on, it is " + _ " possible for a malicious attachment to steal your cookies or" + _ " perform an attack on $terms.Bugzilla using your credentials." + _ "

If you would like additional security on attachments to avoid" + _ " this, set this parameter to an alternate URL for your $terms.Bugzilla" + _ " that is not the same as urlbase or sslbase." + _ " That is, a different domain name that resolves to this exact" + _ " same $terms.Bugzilla installation.

" + _ "

Note that if you have set the" + _ " cookiedomain" + _" parameter, you should set attachment_base to use a" + _ " domain that would not be matched by" + _ " cookiedomain.

" + _ "

For added security, you can insert %bugid% into the URL," + _ " which will be replaced with the ID of the current $terms.bug that" + _ " the attachment is on, when you access an attachment. This will limit" + _ " attachments to accessing only other attachments on the same" + _ " ${terms.bug}. Remember, though, that all those possible domain names " + _ " (such as 1234.your.domain.com) must point to this same" + _ " $terms.Bugzilla instance.", allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", diff --git a/template/en/default/attachment/edit.html.tmpl b/template/en/default/attachment/edit.html.tmpl index 48137e76a..10c615323 100644 --- a/template/en/default/attachment/edit.html.tmpl +++ b/template/en/default/attachment/edit.html.tmpl @@ -270,6 +270,17 @@ [% END %] + [% ELSIF !Param("allow_attachment_display") %] + +

+ The attachment is not viewable in your browser due to security + restrictions enabled by [% terms.Bugzilla %]. +

+

+ In order to view the attachment, you first have to + download it. +

+ [% ELSIF attachment.is_viewable %] [% INCLUDE global/textarea.html.tmpl diff --git a/template/en/default/attachment/list.html.tmpl b/template/en/default/attachment/list.html.tmpl index c93ea5808..08c575dbf 100644 --- a/template/en/default/attachment/list.html.tmpl +++ b/template/en/default/attachment/list.html.tmpl @@ -131,9 +131,11 @@ [% IF attachments.size %] [% IF obsolete_attachments %] - Hide Obsolete ([% obsolete_attachments %]) | + Hide Obsolete ([% obsolete_attachments %]) + [% END %] + [% IF Param("allow_attachment_display") %] + View All [% END %] - View All [% END %] Add an attachment -- cgit v1.2.3-24-g4f1b