Offering full attachment isolation to Bugzilla installations

Gervase Markham gerv at mozilla.org
Tue Sep 29 10:41:48 UTC 2015 

Hi everyone,

Over the years, Bugzilla has been beefing up its attempts to avoid
problems caused by the fact that attachments can be uploaded by
untrustworthy people, and yet those attachments often have to be
rendered in the browser - particularly for Bugzillas used for browser
development, like BMO.

First of all, we moved attachments to their own domain, using the
attachmentbase parameter. This stops attachments from being able to
access a user's Bugzilla cookies and credentials. It was even possible
to give each attachment its own subdomain using wildcards, e.g.
bz12345.bmoattachments.org. However, there are some issues that this
still doesn't prevent, where attachments can do things to other
attachments, which is allowed by the Same Origin Policy because
bmoattachments.org is all one origin.

In order to get full isolation in modern browsers, you need to host your
attachments at one hostname per bug, on a domain which is in the Public
Suffix List - http://publicsuffix.org/ . That way, attachments on
bug12345.bmoattachments.org cannot access or do anything to attachments
on bug54321.bmoattachments.org. The domain "bmoattachments.org" has been
added to the PSL for BMO to use for precisely this.

However, that leaves everyone else who runs a Bugzilla having to arrange
for their own specially-registered domain to be added to the PSL, in
order for them to get the same level of security. As the PSL takes some
time to update and propagate to all browsers, this is a pain.

Therefore, my plan is to register the domain "bzattachments.org", add
"*.bzattachments.org" to the PSL, and then offer delegations (e.g.
redhat.bzattachments.org, linuxkernel.bzattachments.org) to any bona
fide Bugzilla which wants one. They just tell me their nameservers, and
I add them to the domain's config. They can then host their attachments
at bug12345.company.bzattachments.org,
bug54321.company.bzattachments.org etc., and get full isolation. This
would be a service provided by the Bugzilla project for the good of the web.

Before I execute and publicise this plan, does anyone see any problems
with it?

Gerv
_______________________________________________
dev-apps-bugzilla mailing list
dev-apps-bugzilla at lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-apps-bugzilla

More information about the developers mailing list