Using Bugzilla to hide spam sites
Aaron Trevena
aaron.trevena at gmail.com
Tue May 15 16:34:50 UTC 2007
On 15/05/07, Gervase Markham <gerv at mozilla.org> wrote:
> Max Kanat-Alexander wrote:
> > Oh, I see. So they can still attach the thing, it just shows
> > up as text/plain until they set it otherwise.
> >
> > Would we do that by setting a list of "dangerous" types? I
> > think that might be a bit hard to make/maintain. But it could probably
> > be done.
>
> It wouldn't be all that hard to maintain. The list of
> browser-displayable, scriptable types doesn't change all that often.
>
> Of course, instead of a blacklist, we could have a whitelist. Perhaps
> text/plain, application/zip, application/octet-stream and a few others.
White-list would be better - pretty much every filetype except plain
text has been exploited in windows to date, from .ico to .scr to
images and pretty much any kind of file that windows uses for
anything.
> Alternatively, we could invent our own MIME types,
> application/x-bugzilla-upload-text and
> application/x-bugzilla-upload-binary, which was set on all uploads from
> non-permissioned people by default. When actually serving it, we'd
> detect IE and serve Content-Disposition: attachment, and detect Firefox
> and use text/plain or application/octet-stream.
>
> Would something like this fly?
You might already be able to do that as a
> Or should we just accept this as a fact of life?
>From what I've seen on list - one of the bugzilla developers redeeming
qualities have been their attention to security.
A.
--
http://www.aarontrevena.co.uk
LAMP System Integration, Development and Hosting
More information about the developers
mailing list