From: Gervase Markham Date: Mon, 15 Sep 2014 15:19:48 +0000 (+0800) Subject: WIP X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=9aa4b8083d1bacd6ca24bfd7f4c413827236684e;p=thirdparty%2Fbugzilla.git WIP --- diff --git a/docs/en/rst/administering/categorization.rst b/docs/en/rst/administering/categorization.rst index f5548fbebb..b34fdf8a99 100644 --- a/docs/en/rst/administering/categorization.rst +++ b/docs/en/rst/administering/categorization.rst @@ -8,6 +8,8 @@ Bugs in Bugzilla are classified into one of a set of admin-defined Components. Components are themselves each part of a single Product. Optionally, Products can be part of a single Classification, adding a third level to the hierarchy. +.. _classifications: + Classifications ############### @@ -69,7 +71,7 @@ Version Create chart datasets for this product Select to make chart datasets available for this product. -It is compulsory to create at least one :ref:`component` in a product, and +It is compulsory to create at least one :ref:`component ` in a product, and so you will be asked for the details of that too. When editing a product you can change all of the above, and there is also a diff --git a/docs/en/rst/administering/custom-fields.rst b/docs/en/rst/administering/custom-fields.rst index fef5cece55..08e145bb7e 100644 --- a/docs/en/rst/administering/custom-fields.rst +++ b/docs/en/rst/administering/custom-fields.rst @@ -85,7 +85,7 @@ The following attributes must be set for each new custom field: - *Can be set on bug creation:* Boolean that determines whether this field can be set on bug creation. If not selected, then a bug must be created - before this field can be set. See :ref:`bugreports` + before this field can be set. See :ref:`filing` for information about filing bugs. - *Displayed in bugmail for new bugs:* diff --git a/docs/en/rst/administering/groups.rst b/docs/en/rst/administering/groups.rst index 6cd162e663..d649e1428b 100644 --- a/docs/en/rst/administering/groups.rst +++ b/docs/en/rst/administering/groups.rst @@ -166,8 +166,8 @@ A User can become a member of a group in several ways: address in the search results to edit their profile. The profile page lists all the groups, and indicates if the user is a member of the group either directly or indirectly. More information on indirect - group membership is below. For more details on User administration, - see :ref:`useradmin`. + group membership is below. For more details on User Administration, + see :ref:`users`. #. The group can include another group of which the user is a member. This is indicated by square brackets around the checkbox diff --git a/docs/en/rst/administering/keywords.rst b/docs/en/rst/administering/keywords.rst index 0e84c7e960..4127f262a8 100644 --- a/docs/en/rst/administering/keywords.rst +++ b/docs/en/rst/administering/keywords.rst @@ -11,7 +11,7 @@ bugs much easier. Keywords are global, rather than per-product. If the administrator changes a keyword currently applied to any bugs, the keyword cache must be rebuilt -using the :ref:`sanitycheck` script. XXXDoes this mean changing the name of the keyword? Is it still true? +using the :ref:`sanity-check` script. XXXDoes this mean changing the name of the keyword? Is it still true? Currently keywords cannot be marked obsolete to prevent future usage. diff --git a/docs/en/rst/administering/parameters.rst b/docs/en/rst/administering/parameters.rst index d1dc0aa1c2..8d8cd587cf 100644 --- a/docs/en/rst/administering/parameters.rst +++ b/docs/en/rst/administering/parameters.rst @@ -182,7 +182,7 @@ emailregexp used for login names. The default attempts to match fully qualified email addresses (i.e. 'user\@example.com') in a slightly more restrictive way than what is allowed in RFC 2822. - Another popular value to put here is :paramval:``^[^@]+`, which means 'local usernames, no @ allowed.' + Another popular value to put here is :paramval:`^[^@]+`, which means 'local usernames, no @ allowed.' emailregexpdesc This description is shown to the user to explain which email addresses are allowed by the :param:`emailregexp` param. @@ -406,7 +406,7 @@ timetrackinggroup querysharegroup The name of the group of users who are allowed to share saved searches with one another. For more information on using - saved searches, see :ref:`savedsearches`. + saved searches, see :ref:`saved-searches`. comment_taggers_group The name of the group of users who can tag comment. Setting this to empty disables comment tagging. diff --git a/docs/en/rst/customizing/templates.rst b/docs/en/rst/customizing/templates.rst index 607525a223..77337b912b 100644 --- a/docs/en/rst/customizing/templates.rst +++ b/docs/en/rst/customizing/templates.rst @@ -55,7 +55,7 @@ modifications, and the method you plan to use to upgrade Bugzilla. not exist by default and must be created if you want to use it.) #. You can use the hooks built into many of the templates to add or modify - the UI from an :ref:`extension`. Hooks generally don't go away and have + the UI from an :ref:`extension `. Hooks generally don't go away and have a stable interface. The third method is the best if there are hooks in the appropriate places. diff --git a/docs/en/rst/installing/iis.rst b/docs/en/rst/installing/iis.rst index 82f3da1eeb..26054260b2 100644 --- a/docs/en/rst/installing/iis.rst +++ b/docs/en/rst/installing/iis.rst @@ -63,6 +63,6 @@ doesn't use any of them. Also, and this can't be stressed enough, make sure that files such as :file:`localconfig` and your :file:`data` directory are -secured as described in :ref:`security-webserver-access`. +secured. XXX See also https://wiki.mozilla.org/Installing_under_IIS_7.5 diff --git a/docs/en/rst/installing/windows.rst b/docs/en/rst/installing/windows.rst index 4a7c1769b7..4a12357c5c 100644 --- a/docs/en/rst/installing/windows.rst +++ b/docs/en/rst/installing/windows.rst @@ -94,11 +94,7 @@ Serving the web pages As is the case on Unix based systems, any web server should be able to handle Bugzilla; however, the Bugzilla Team still -recommends Apache whenever asked. No matter what web server -you choose, be sure to pay attention to the security notes -in :ref:`security-webserver-access`. More -information on configuring specific web servers can be found -in :ref:`http`. +recommends Apache whenever asked. .. note:: The web server looks at :file:`/usr/bin/perl` to call Perl. If you are using Apache on windows, you can set the diff --git a/docs/en/rst/security.rst b/docs/en/rst/security.rst deleted file mode 100644 index bda308cacb..0000000000 --- a/docs/en/rst/security.rst +++ /dev/null @@ -1,165 +0,0 @@ -.. _security: - -================= -Bugzilla Security -================= - -While some of the items in this chapter are related to the operating -system Bugzilla is running on or some of the support software required to -run Bugzilla, it is all related to protecting your data. This is not -intended to be a comprehensive guide to securing Linux, Apache, MySQL, or -any other piece of software mentioned. There is no substitute for active -administration and monitoring of a machine. The key to good security is -actually right in the middle of the word: *U R It*. - -While programmers in general always strive to write secure code, -accidents can and do happen. The best approach to security is to always -assume that the program you are working with isn't 100% secure and restrict -its access to other parts of your machine as much as possible. - -.. _security-os: - -Operating System -################ - -.. _security-os-ports: - -TCP/IP Ports -============ - -.. COMMENT: TODO: Get exact number of ports - -The TCP/IP standard defines more than 65,000 ports for sending -and receiving traffic. Of those, Bugzilla needs exactly one to operate -(different configurations and options may require up to 3). You should -audit your server and make sure that you aren't listening on any ports -you don't need to be. It's also highly recommended that the server -Bugzilla resides on, along with any other machines you administer, be -placed behind some kind of firewall. - -.. _security-os-accounts: - -System User Accounts -==================== - -Many daemons, such -as Apache's :file:`httpd` or MySQL's -:file:`mysqld`, run as either ``root`` or -``nobody``. This is even worse on Windows machines where the -majority of services -run as ``SYSTEM``. While running as ``root`` or -``SYSTEM`` introduces obvious security concerns, the -problems introduced by running everything as ``nobody`` may -not be so obvious. Basically, if you run every daemon as -``nobody`` and one of them gets compromised it can -compromise every other daemon running as ``nobody`` on your -machine. For this reason, it is recommended that you create a user -account for each daemon. - -.. note:: You will need to set the ``webservergroup`` option - in :file:`localconfig` to the group your web server runs - as. This will allow :file:`./checksetup.pl` to set file - permissions on Unix systems so that nothing is world-writable. - -.. _security-os-chroot: - -The :file:`chroot` Jail -======================= - -If your system supports it, you may wish to consider running -Bugzilla inside of a :file:`chroot` jail. This option -provides unprecedented security by restricting anything running -inside the jail from accessing any information outside of it. If you -wish to use this option, please consult the documentation that came -with your system. - -.. _security-webserver: - -Web server -########## - -.. _security-webserver-access: - -Disabling Remote Access to Bugzilla Configuration Files -======================================================= - -There are many files that are placed in the Bugzilla directory -area that should not be accessible from the web server. Because of the way -Bugzilla is currently layed out, the list of what should and should not -be accessible is rather complicated. A quick way is to run -:file:`testserver.pl` to check if your web server serves -Bugzilla files as expected. If not, you may want to follow the few -steps below. - -.. note:: Bugzilla ships with the ability to create :file:`.htaccess` - files that enforce these rules. Instructions for enabling these - directives in Apache can be found in :ref:`http-apache` - -- In the main Bugzilla directory, you should: - - Block: :file:`*.pl`, :file:`*localconfig*` - -- In :file:`data`: - - Block everything - -- In :file:`data/webdot`: - - - If you use a remote webdot server: - - - Block everything - - But allow :file:`*.dot` - only for the remote webdot server - - Otherwise, if you use a local GraphViz: - - - Block everything - - But allow: :file:`*.png`, :file:`*.gif`, :file:`*.jpg`, :file:`*.map` - - And if you don't use any dot: - - - Block everything - -- In :file:`Bugzilla`: - - Block everything - -- In :file:`template`: - - Block everything - -Be sure to test that data that should not be accessed remotely is -properly blocked. Of particular interest is the localconfig file which -contains your database password. Also, be aware that many editors -create temporary and backup files in the working directory and that -those should also not be accessible. For more information, see -`bug 186383 `_ -or -`Bugtraq ID 6501 `_. -To test, simply run :file:`testserver.pl`, as said above. - -.. note:: Be sure to check :ref:`http` for instructions - specific to the web server you use. - -.. _security-bugzilla: - -Bugzilla -######## - -.. _security-bugzilla-charset: - -Prevent users injecting malicious Javascript -============================================ - -If you installed Bugzilla version 2.22 or later from scratch, -then the *utf8* parameter is switched on by default. -This makes Bugzilla explicitly set the character encoding, following -`a -CERT advisory `_ recommending exactly this. -The following therefore does not apply to you; just keep -*utf8* turned on. - -If you've upgraded from an older version, then it may be possible -for a Bugzilla user to take advantage of character set encoding -ambiguities to inject HTML into Bugzilla comments. -This could include malicious scripts. -This is because due to internationalization concerns, we are unable to -turn the *utf8* parameter on by default for upgraded -installations. -Turning it on manually will prevent this problem. - - diff --git a/docs/en/rst/using/editing.rst b/docs/en/rst/using/editing.rst index ab016a720a..a8a5a0cec2 100644 --- a/docs/en/rst/using/editing.rst +++ b/docs/en/rst/using/editing.rst @@ -31,7 +31,7 @@ field; Bugzilla will convert it into an attachment. This is pretty useful when you are copying and pasting, to avoid the extra step of saving the text in a temporary file. -.. _flags: +.. _editing-flags: Flags ===== diff --git a/docs/en/rst/using/finding.rst b/docs/en/rst/using/finding.rst index c93d7b305e..578a4f04f6 100644 --- a/docs/en/rst/using/finding.rst +++ b/docs/en/rst/using/finding.rst @@ -55,7 +55,7 @@ values. If none is selected, then the field can take any value. After a search is run, you can save it as a Saved Search, which will appear in the page footer. If you are in the group defined by the "querysharegroup" parameter, you may share your queries -with other users, see :ref:`savedsearches` for more details. +with other users, see :ref:`saved-searches` for more details. .. _custom-search: