From 334bead74bc9c5e819f14946726eaad40986d636 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Sat, 16 Dec 2017 13:17:05 -0600 Subject: Bug 1403777 - Migrate urlbase from params to localconfig --- .../en/default/admin/params/advanced.html.tmpl | 13 ++---- .../en/default/admin/params/attachment.html.tmpl | 22 ---------- template/en/default/admin/params/core.html.tmpl | 48 ---------------------- template/en/default/global/header.html.tmpl | 1 - template/en/default/robots.txt.tmpl | 2 +- template/en/default/setup/strings.txt.pl | 23 ++++++++++- template/en/default/welcome-admin.html.tmpl | 8 ---- 7 files changed, 26 insertions(+), 91 deletions(-) delete mode 100644 template/en/default/admin/params/core.html.tmpl (limited to 'template/en/default') diff --git a/template/en/default/admin/params/advanced.html.tmpl b/template/en/default/admin/params/advanced.html.tmpl index a23c602ae..75885b3f4 100644 --- a/template/en/default/admin/params/advanced.html.tmpl +++ b/template/en/default/admin/params/advanced.html.tmpl @@ -19,7 +19,7 @@ # Frédéric Buclin #%] -[% +[% title = "Advanced" desc = "Settings for advanced configurations." %] @@ -29,7 +29,7 @@ Strict-Transport-Security header along with HTTP responses on SSL connections. This adds greater security to your SSL connections by forcing the browser to always - access your domain over SSL and never accept an invalid certificate. + access your domain over SSL and never accept an invalid certificate. However, it should only be used if you have the ssl_redirect parameter turned on, [% terms.Bugzilla %] is the only thing running on its domain (i.e., your urlbase is something like @@ -54,13 +54,6 @@ [% END %] [% param_descs = { - cookiedomain => - "If your website is at 'www.foo.com', setting this to" - _ " '.foo.com' will also allow 'bar.foo.com' to access" - _ " $terms.Bugzilla cookies. This is useful if you have more than" - _ " one hostname pointing at the same web server, and you" - _ " want them to share the $terms.Bugzilla cookie.", - inbound_proxies => "When inbound traffic to $terms.Bugzilla goes through a proxy," _ " $terms.Bugzilla thinks that the IP address of every single" @@ -71,7 +64,7 @@ _ " If set to a *, $terms.Bugzilla will trust the first value in the " _ " X-Forwarded-For header.", - proxy_url => + proxy_url => "$terms.Bugzilla may have to access the web to get notifications about" _ " new releases (see the upgrade_notification parameter)." _ " If your $terms.Bugzilla server is behind a proxy, it may be" diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index bdd20c676..0858a1044 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -35,28 +35,6 @@ _ "

It is highly recommended that you set the attachment_base" _ " parameter if you turn this parameter on.", - attachment_base => - "When the allow_attachment_display parameter is on, it is " - _ " possible for a malicious attachment to steal your cookies or" - _ " perform an attack on $terms.Bugzilla using your credentials." - _ "

If you would like additional security on attachments to avoid" - _ " this, set this parameter to an alternate URL for your $terms.Bugzilla" - _ " that is not the same as urlbase or sslbase." - _ " That is, a different domain name that resolves to this exact" - _ " same $terms.Bugzilla installation.

" - _ "

Note that if you have set the" - _ " cookiedomain" - _" parameter, you should set attachment_base to use a" - _ " domain that would not be matched by" - _ " cookiedomain.

" - _ "

For added security, you can insert %bugid% into the URL," - _ " which will be replaced with the ID of the current $terms.bug that" - _ " the attachment is on, when you access an attachment. This will limit" - _ " attachments to accessing only other attachments on the same" - _ " ${terms.bug}. Remember, though, that all those possible domain names " - _ " (such as 1234.your.domain.com) must point to this same" - _ " $terms.Bugzilla instance.", - allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", diff --git a/template/en/default/admin/params/core.html.tmpl b/template/en/default/admin/params/core.html.tmpl deleted file mode 100644 index b1578f422..000000000 --- a/template/en/default/admin/params/core.html.tmpl +++ /dev/null @@ -1,48 +0,0 @@ -[%# The contents of this file are subject to the Mozilla Public - # License Version 1.1 (the "License"); you may not use this file - # except in compliance with the License. You may obtain a copy of - # the License at http://www.mozilla.org/MPL/ - # - # Software distributed under the License is distributed on an "AS - # IS" basis, WITHOUT WARRANTY OF ANY KIND, either express or - # implied. See the License for the specific language governing - # rights and limitations under the License. - # - # The Original Code is the Bugzilla Bug Tracking System. - # - # The Initial Developer of the Original Code is Netscape Communications - # Corporation. Portions created by Netscape are - # Copyright (C) 1998 Netscape Communications Corporation. All - # Rights Reserved. - # - # Contributor(s): Dave Miller - # Frédéric Buclin - #%] - -[% - title = "Required Settings" - desc = "Settings that are required for proper operation of $terms.Bugzilla" -%] - -[% param_descs = { - urlbase => "The URL that is the common initial leading part of all $terms.Bugzilla " _ - "URLs.", - - sslbase => "The URL that is the common initial leading part of all HTTPS " _ - "(SSL) $terms.Bugzilla URLs.", - - ssl_redirect => - "When this is enabled, $terms.Bugzilla will ensure that every page is" - _ " accessed over SSL, by redirecting any plain HTTP requests to HTTPS" - _ " using the sslbase parameter. Also, when this is enabled," - _ " $terms.Bugzilla will send out links using sslbase in emails" - _ " instead of urlbase.", - - cookiepath => "Path, relative to your web document root, to which to restrict " _ - "$terms.Bugzilla cookies. Normally this is the URI portion of your URL " _ - "base. Begin with a / (single slash mark). For instance, if " _ - "$terms.Bugzilla serves from 'http://www.somedomain.com/bugzilla/', set " _ - "this parameter to /bugzilla/. Setting it to / will allow " _ - "all sites served by this web server or virtual host to read " _ - "$terms.Bugzilla cookies.", -} %] diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index a7aed895e..9baecbb53 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -96,7 +96,6 @@ [%- js_BUGZILLA = { param => { - cookiepath => Param('cookiepath'), maxusermatches => Param('maxusermatches'), }, constant => { diff --git a/template/en/default/robots.txt.tmpl b/template/en/default/robots.txt.tmpl index c4948efe5..7ef83c0f1 100644 --- a/template/en/default/robots.txt.tmpl +++ b/template/en/default/robots.txt.tmpl @@ -2,7 +2,7 @@ User-agent: * Disallow: / Crawl-delay: 30 -[% IF NOT urlbase.matches("bugzilla-dev") %] +[% IF NOT Bugzilla.localconfig.urlbase.matches("bugzilla-dev") %] Allow: /$ Allow: /index.cgi diff --git a/template/en/default/setup/strings.txt.pl b/template/en/default/setup/strings.txt.pl index 9a8e3b9d1..35a771ff3 100644 --- a/template/en/default/setup/strings.txt.pl +++ b/template/en/default/setup/strings.txt.pl @@ -105,6 +105,24 @@ END lc_old_vars => <<'END', The following variables are no longer used in ##localconfig##, and have been moved to ##old_file##: ##vars## +END + localconfig_attachment_base => <<'END', +When the runtime allow_attachment_display parameter is on, it is +possible for a malicious attachment to steal your cookies or +perform an attack using your credentials. + +If you would like additional security on attachments to avoid +this, set this parameter to an alternate URL for your $terms.Bugzilla +that is not the same as urlbase. +That is, a different domain name that resolves to this exact +same installation. + +For added security, you can insert %bugid% into the URL, +which will be replaced with the ID of the current bug that +the attachment is on, when you access an attachment. This will limit +attachments to accessing only other attachments on the same +bug. Remember, though, that all those possible domain names + must point to this same instance. END localconfig_create_htaccess => <<'END', If you are using Apache as your web server, Bugzilla can create .htaccess @@ -180,7 +198,7 @@ here. END localconfig_memcached_servers => <<'END', If this option is set, Bugzilla will integrate with Memcached. -Specify one or more servers, separated by spaces, using hostname:port +Specify one or more servers, separated by spaces, using hostname:port notation (for example: 127.0.0.1:11211). END localconfig_memcached_namespace => <<'END', @@ -197,6 +215,9 @@ END This hash is used by BMO to override select data/params values on a per-webhead basis. Keys set to undef will default to the value in data/params. Only the keys listed below can be overridden. +END + localconfig_urlbase => <<'END', +The URL that is the common initial leading part of all URLs. END localconfig_use_suexec => <<'END', Set this to 1 if Bugzilla runs in an Apache SuexecUserGroup environment. diff --git a/template/en/default/welcome-admin.html.tmpl b/template/en/default/welcome-admin.html.tmpl index e37008fc7..11d70a6ea 100644 --- a/template/en/default/welcome-admin.html.tmpl +++ b/template/en/default/welcome-admin.html.tmpl @@ -40,14 +40,6 @@ parameters for this installation; among others: