This is the mail archive of the overseers@sourceware.org mailing list for the Sourceware project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: sourceware.org Bugzilla seems run scripts in HTML


Le 12. 11. 17 à 18:16, Florian Weimer a écrit :
> Javascript in HTML attachments appears to be served in such a way that
> is run by browsers.  It is probably best not to visit that attachment
> while being logged in, in case that Javascript code tries to steal
> cookies etc.
> 
> Would it be possible to fix this?


Javascript cannot steal login cookies:

    # Prevent JavaScript from accessing login cookies.
    my %cookieargs = ('-httponly' => 1);


Bugzilla can display attachments from an alternate host, but this
feature is not activated for GCC Bugzilla. See the attachment_base
parameter:

http://bugzilla.readthedocs.io/en/5.0/administering/parameters.html#attachments

If overseers is interested in this feature, please provide me an
alternate host name to serve attachments. It can point to the same
physical machine. The point is only to make the browser think it's a
different host so that it activates its cross-site scripting protections.

Meanwhile, I deleted the attachment mentioned by Florian, which looked
like to be an evil script.

Frédéric


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]