Sophie

Sophie

distrib > Mageia > 4 > x86_64 > by-pkgid > 4c72523e563aec63a926a03f40a2ff9f > files > 968

bugzilla-4.4.1-2.mga4.noarch.rpm

<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html><head><meta http-equiv="Content-Type" content="text/html; charset=UTF-8"><title>4.3. Bugzilla</title><link rel="stylesheet" type="text/css" href="../../style.css"><meta name="generator" content="DocBook XSL Stylesheets V1.78.1"><meta name="keywords" content="Bugzilla, Guide, installation, FAQ, administration, integration, MySQL, Mozilla, webtools"><link rel="home" href="index.html" title="The Bugzilla Guide - 4.4.1 Release"><link rel="up" href="security.html" title="Chapter 4. Bugzilla Security"><link rel="prev" href="security-webserver.html" title="4.2. Web server"><link rel="next" href="using.html" title="Chapter 5. Using Bugzilla"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">4.3. Bugzilla</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="security-webserver.html">Prev</a> </td><th width="60%" align="center">Chapter 4. Bugzilla Security</th><td width="20%" align="right"> <a accesskey="n" href="using.html">Next</a></td></tr></table><hr></div><div class="section"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="security-bugzilla"></a>4.3. Bugzilla</h2></div></div></div><div class="section"><div class="titlepage"><div><div><h3 class="title"><a name="security-bugzilla-charset"></a>4.3.1. Prevent users injecting malicious Javascript</h3></div></div></div><p>If you installed Bugzilla version 2.22 or later from scratch,
      then the <span class="emphasis"><em>utf8</em></span> parameter is switched on by default.
      This makes Bugzilla explicitly set the character encoding, following
      <a class="ulink" href="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3" target="_top">a
      CERT advisory</a> recommending exactly this.
      The following therefore does not apply to you; just keep
      <span class="emphasis"><em>utf8</em></span> turned on.
      </p><p>If you've upgraded from an older version, then it may be possible
      for a Bugzilla user to take advantage of character set encoding
      ambiguities to inject HTML into Bugzilla comments.
      This could include malicious scripts. 
      This is because due to internationalization concerns, we are unable to
      turn the <span class="emphasis"><em>utf8</em></span> parameter on by default for upgraded
      installations.
      Turning it on manually will prevent this problem.
      </p></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="security-webserver.html">Prev</a> </td><td width="20%" align="center"><a accesskey="u" href="security.html">Up</a></td><td width="40%" align="right"> <a accesskey="n" href="using.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">4.2. Web server </td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top"> Chapter 5. Using Bugzilla</td></tr></table></div></body></html>

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional