]> git.ipfire.org Git - thirdparty/bugzilla.git/commitdiff
projects / thirdparty / bugzilla.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: 1c65aa0)
Documentation patch for bug 126266: Use UTF-8 (Unicode) charset encoding for pages...
authorwurblzap%gmail.com <>
Tue, 8 Nov 2005 21:34:37 +0000 (21:34 +0000)
committerwurblzap%gmail.com <>
Tue, 8 Nov 2005 21:34:37 +0000 (21:34 +0000)
Patch by Marc Schumann <wurblzap@gmail.com>
r=colin.ogilvie

docs/xml/security.xml patch | blob | blame | history

diff --git a/docs/xml/security.xml b/docs/xml/security.xml
index e68577b4ce83a0021e58f47999246e5d93a66d93..f33b003352f0de20a132f68a9c6b06fab8071c66 100644 (file)
--- a/docs/xml/security.xml
+++ b/docs/xml/security.xml
@@ -1,5 +1,5 @@
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: security.xml,v 1.7 2005/08/21 18:16:41 lpsolit%gmail.com Exp $ -->
+<!-- $Id: security.xml,v 1.8 2005/11/08 13:34:37 wurblzap%gmail.com Exp $ -->
 
 <chapter id="security">
 <title>Bugzilla Security</title>
@@ -352,28 +352,25 @@ skip-networking
     <section id="security-bugzilla-charset">
     <title>Prevent users injecting malicious Javascript</title>
 
-      <para>It is possible for a Bugzilla user to take advantage of character
-      set encoding ambiguities to inject HTML into Bugzilla comments. This
-      could include malicious scripts. 
-      Due to internationalization concerns, we are unable to
-      incorporate by default the code changes suggested by 
+      <para>If you installed Bugzilla version 2.22 or later from scratch,
+      then the <emphasis>utf8</emphasis> parameter is switched on by default.
+      This makes Bugzilla explicitly set the character encoding, following
       <ulink
-      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">the
-      CERT advisory</ulink> on this issue.
-      Making the change in <xref linkend="security-bugzilla-charset-ex"/> will
-      prevent this problem. 
+      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a
+      CERT advisory</ulink> recommending exactly this.
+      The following therefore does not apply to you; just keep
+      <emphasis>utf8</emphasis> turned on.
       </para>
 
-      <example id="security-bugzilla-charset-ex">
-      <title>Forcing Bugzilla to output a charset</title>
-
-        <para>Locate the following line in
-        <filename>Bugzilla/CGI.pm</filename>:
-        <programlisting>$self->charset('');</programlisting>
-        and change it to:
-        <programlisting>$self->charset('UTF-8');</programlisting>
-        </para>
-      </example>
+      <para>If you've upgraded from an older version, then it may be possible
+      for a Bugzilla user to take advantage of character set encoding
+      ambiguities to inject HTML into Bugzilla comments.
+      This could include malicious scripts. 
+      This is because due to internationalization concerns, we are unable to
+      turn the <emphasis>utf8</emphasis> parameter on by default for upgraded
+      installations.
+      Turning it on manually will prevent this problem.
+      </para>
     </section>    
     
   </section>
Mirror of https://github.com/bugzilla/bugzilla.git