Assuring Security by testing
Gervase Markham
gerv at mozilla.org
Sat May 3 14:49:30 UTC 2008
Michael Osipov wrote:
> 1. You do have a test suite [2] which works like a lint tool.
Not just that. It checks that every bit of data displayed in the
templates is filtered using TT's FILTER command, and throws an error if
it's not. There is an "exceptions" file but you specifically have to add
your variable name, presumably after carefully checking that it's safe
to do so.
It would be interesting to go back through the XSS holes which have been
found since this system was created, and see why it didn't catch them.
> 4. You claim you have "excellent security" [5]
Here is our page of security advisories:
http://www.bugzilla.org/security/
Note that we regard privacy violations (information leakage) as security
bugs, not just root-your-server bugs. For example, the most recent
security advisory was one such.
Gerv
More information about the developers
mailing list