Using Bugzilla to hide spam sites
gerv at mozilla.org
Wed May 16 16:43:46 UTC 2007
Aaron Trevena wrote:
> White-list would be better - pretty much every filetype except plain
> text has been exploited in windows to date, from .ico to .scr to
> images and pretty much any kind of file that windows uses for
True. But we are not here to try and make Windows boxes more secure.
Let's get the low-hanging fruit.
"Note: In Internet Explorer 6 for Microsoft Windows XP Service Pack 2
(SP2), the MIME type "text/plain" is not ambiguous, and is never
rendered as HTML in the restricted zone, even if the content suggests
that this is the correct format."
So, given that all IE users should be using the latest version and it's
their own fault if they aren't, I suggest the following algorithm.
We convert the following MIME types to text/plain if the attachment is
attached by someone with no privileges whatsoever:
And we note the original MIME type in the upload comment.
That should stop the redirect in a great enough percentage of browsers
so as to make spamming using Bugzilla attachment URLs uneconomical.
More information about the developers