Using Bugzilla to hide spam sites
Gervase Markham
gerv at mozilla.org
Wed May 16 16:43:46 UTC 2007
Aaron Trevena wrote:
> White-list would be better - pretty much every filetype except plain
> text has been exploited in windows to date, from .ico to .scr to
> images and pretty much any kind of file that windows uses for
> anything.
True. But we are not here to try and make Windows boxes more secure.
Let's get the low-hanging fruit.
According to:
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp
"Note: In Internet Explorer 6 for Microsoft Windows XP Service Pack 2
(SP2), the MIME type "text/plain" is not ambiguous, and is never
rendered as HTML in the restricted zone, even if the content suggests
that this is the correct format."
So, given that all IE users should be using the latest version and it's
their own fault if they aren't, I suggest the following algorithm.
We convert the following MIME types to text/plain if the attachment is
attached by someone with no privileges whatsoever:
text/html
text/xml
application/xml
application/*+xml
multipart/*
And we note the original MIME type in the upload comment.
That should stop the redirect in a great enough percentage of browsers
so as to make spamming using Bugzilla attachment URLs uneconomical.
Gerv
More information about the developers
mailing list