Offering full attachment isolation to Bugzilla installations
Jason Mcdonald
jmcdonal at redhat.com
Fri Oct 2 01:32:22 UTC 2015
On 29/09/15 20:41, Gervase Markham wrote:
> Hi everyone,
>
> Over the years, Bugzilla has been beefing up its attempts to avoid
> problems caused by the fact that attachments can be uploaded by
> untrustworthy people, and yet those attachments often have to be
> rendered in the browser - particularly for Bugzillas used for browser
> development, like BMO.
>
> First of all, we moved attachments to their own domain, using the
> attachmentbase parameter. This stops attachments from being able to
> access a user's Bugzilla cookies and credentials. It was even possible
> to give each attachment its own subdomain using wildcards, e.g.
> bz12345.bmoattachments.org. However, there are some issues that this
> still doesn't prevent, where attachments can do things to other
> attachments, which is allowed by the Same Origin Policy because
> bmoattachments.org is all one origin.
>
> In order to get full isolation in modern browsers, you need to host your
> attachments at one hostname per bug, on a domain which is in the Public
> Suffix List - http://publicsuffix.org/ . That way, attachments on
> bug12345.bmoattachments.org cannot access or do anything to attachments
> on bug54321.bmoattachments.org. The domain "bmoattachments.org" has been
> added to the PSL for BMO to use for precisely this.
>
> However, that leaves everyone else who runs a Bugzilla having to arrange
> for their own specially-registered domain to be added to the PSL, in
> order for them to get the same level of security. As the PSL takes some
> time to update and propagate to all browsers, this is a pain.
>
> Therefore, my plan is to register the domain "bzattachments.org", add
> "*.bzattachments.org" to the PSL, and then offer delegations (e.g.
> redhat.bzattachments.org, linuxkernel.bzattachments.org) to any bona
> fide Bugzilla which wants one. They just tell me their nameservers, and
> I add them to the domain's config. They can then host their attachments
> at bug12345.company.bzattachments.org,
> bug54321.company.bzattachments.org etc., and get full isolation. This
> would be a service provided by the Bugzilla project for the good of the web.
>
> Before I execute and publicise this plan, does anyone see any problems
> with it?
Do you have any thoughts on how this would work for non-production
instances of Bugzilla?
At Red Hat, we have a permanent public-facing test server, several
permanent internal test servers and a bunch of developer instances that
tend to come and go over time.
Cheers,
--
Jason McDonald
Senior Software Engineer, Red Hat Asia Pacific, Brisbane, Australia
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla
More information about the developers
mailing list