sourceware.org Bugzilla seems run scripts in HTML

sourceware.org Bugzilla seems run scripts in HTML

[Florian Weimer]

Hi,

as can be seen with this bug report:

   https://sourceware.org/bugzilla/show_bug.cgi?id=22422

Javascript in HTML attachments appears to be served in such a way that 
is run by browsers.  It is probably best not to visit that attachment 
while being logged in, in case that Javascript code tries to steal 
cookies etc.

Would it be possible to fix this?

Thanks,
Florian

Re: sourceware.org Bugzilla seems run scripts in HTML

[Frédéric Buclin via overseers]

Le 12. 11. 17 à 18:16, Florian Weimer a écrit :
> Javascript in HTML attachments appears to be served in such a way that
> is run by browsers.  It is probably best not to visit that attachment
> while being logged in, in case that Javascript code tries to steal
> cookies etc.
> 
> Would it be possible to fix this?


Javascript cannot steal login cookies:

    # Prevent JavaScript from accessing login cookies.
    my %cookieargs = ('-httponly' => 1);


Bugzilla can display attachments from an alternate host, but this
feature is not activated for GCC Bugzilla. See the attachment_base
parameter:

http://bugzilla.readthedocs.io/en/5.0/administering/parameters.html#attachments

If overseers is interested in this feature, please provide me an
alternate host name to serve attachments. It can point to the same
physical machine. The point is only to make the browser think it's a
different host so that it activates its cross-site scripting protections.

Meanwhile, I deleted the attachment mentioned by Florian, which looked
like to be an evil script.

Frédéric

Re: sourceware.org Bugzilla seems run scripts in HTML

[Frank Ch. Eigler]

Hi -

On Sun, Nov 12, 2017 at 07:10:02PM +0100, Frédéric Buclin via overseers wrote:
> [...]
> If overseers is interested in this feature, please provide me an
> alternate host name to serve attachments. [...]

Can it be just another virtualhost - a DNS subdomain - off of the same
server?  I guess we'd need one for gcc.gnu.org too.

- FChE

Re: sourceware.org Bugzilla seems run scripts in HTML

[Frank Ch. Eigler]

Hi -

> > Javascript in HTML attachments appears to be served in such a way that
> > is run by browsers. [...]

(Could we get bugzilla to serve those with application/octet-stream type?)

- FChE

Re: sourceware.org Bugzilla seems run scripts in HTML

[Frédéric Buclin via overseers]

Le 12. 11. 17 à 19:17, Frank Ch. Eigler a écrit :
> Can it be just another virtualhost - a DNS subdomain - off of the same
> server?  I guess we'd need one for gcc.gnu.org too.

I don't think a subdomain provides the same level of protection as a
whole separate domain. A browser could be configured to allow subdomains
to interact with each others.

For instance, Mozilla uses bugzilla.mozilla.org as the base domain, and
bug%id%.bmoattachments.org as the alternate domain for attachments,
where %id% is replaced by the bug ID for a higher security level (each
bug has its own subdomain to serve attachments). But I don't think we
need such a high security level, i.e. we don't need one host per bug.

Frédéric

Re: sourceware.org Bugzilla seems run scripts in HTML

[Frédéric Buclin via overseers]

Le 12. 11. 17 à 19:18, Frank Ch. Eigler a écrit :
> (Could we get bugzilla to serve those with application/octet-stream type?)

I'm not a fan of this solution. You would have to create a blacklist
with potentially evil MIME types. text/html is not the only MIME type
which can execute Javascript code. text/xml could too, and possibly some
other MIME types too.

But if you *really* insist, I could implement such a blacklist. :)


Frédéric