Using Bugzilla to hide spam sites

Gervase Markham gerv at mozilla.org
Wed May 16 16:43:46 UTC 2007


Aaron Trevena wrote:
> White-list would be better - pretty much every filetype except plain
> text has been exploited in windows to date, from .ico to .scr to
> images and pretty much any kind of file that windows uses for
> anything.

True. But we are not here to try and make Windows boxes more secure. 
Let's get the low-hanging fruit.

According to:
http://msdn.microsoft.com/library/default.asp?url=/workshop/networking/moniker/overview/appendix_a.asp
"Note: In Internet Explorer 6 for Microsoft Windows XP Service Pack 2 
(SP2), the MIME type "text/plain" is not ambiguous, and is never 
rendered as HTML in the restricted zone, even if the content suggests 
that this is the correct format."

So, given that all IE users should be using the latest version and it's 
their own fault if they aren't, I suggest the following algorithm.

We convert the following MIME types to text/plain if the attachment is 
attached by someone with no privileges whatsoever:

text/html
text/xml
application/xml
application/*+xml
multipart/*

And we note the original MIME type in the upload comment.

That should stop the redirect in a great enough percentage of browsers 
so as to make spamming using Bugzilla attachment URLs uneconomical.

Gerv



More information about the developers mailing list