From 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e Mon Sep 17 00:00:00 2001 From: "lpsolit%gmail.com" <> Date: Mon, 2 Feb 2009 18:21:33 +0000 Subject: =?UTF-8?q?Bug=2038862:=20[SECURITY]=20attachments=20should=20be?= =?UTF-8?q?=20at=20a=20different=20hostname=20-=20Patch=20by=20Byron=20Jon?= =?UTF-8?q?es=20=20and=20Fr=C3=83=C2=A9d=C3=83=C2=A9?= =?UTF-8?q?ric=20Buclin=20=20r=3Dmkanat=20a=3DLpSolit?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- template/en/default/admin/params/attachment.html.tmpl | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) (limited to 'template/en/default/admin/params') diff --git a/template/en/default/admin/params/attachment.html.tmpl b/template/en/default/admin/params/attachment.html.tmpl index ef3363bbb..7c0b52472 100644 --- a/template/en/default/admin/params/attachment.html.tmpl +++ b/template/en/default/admin/params/attachment.html.tmpl @@ -24,6 +24,24 @@ %] [% param_descs = { + attachment_base => "It is possible for a malicious attachment to steal your " _ + "cookies or access other attachments to perform an attack " _ + "on the user.

" _ + "If you would like additional security on attachments " _ + "to avoid this, set this parameter to an alternate URL " _ + "for your $terms.Bugzilla that is not the same as " _ + "urlbase or sslbase. That is, a different " _ + "domain name that resolves to this exact same $terms.Bugzilla " _ + "installation.

" _ + "For added security, you can insert %bugid% into " _ + "the URL, which will be replaced with the ID of the current " _ + "$terms.bug that the attachment is on, when you access " _ + "an attachment. This will limit attachments to accessing " _ + "only other attachments on the same ${terms.bug}. " _ + "Remember, though, that all those possible domain names " _ + "(such as 1234.your.domain.com) must point to " _ + "this same $terms.Bugzilla instance." + allow_attachment_deletion => "If this option is on, administrators will be able to delete " _ "the content of attachments.", -- cgit v1.2.1