Bug 70907: QuickSearch: port the JS code to perl (make it server-side) - Patch…

Bug 70907: QuickSearch: port the JS code to perl (make it server-side) - Patch by Marc Schumann <wurblzap@gmail.com> r=wicked a=myk

Bug 70907: QuickSearch: port the JS code to perl (make it server-side) - Patch…
15a11fc7 · lpsolit%gmail.com · 17d65655 · 15a11fc7 · 15a11fc7
Commit 15a11fc7 authored Apr 04, 2008 by lpsolit%gmail.com
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 84 deletions

security.xml docs/en/xml/security.xml +20 -17

using.xml docs/en/xml/using.xml +10 -67

No files found.
--- a/docs/en/xml/security.xml
+++ b/docs/en/xml/security.xml
 <!-- <!DOCTYPE chapter PUBLIC "-//OASIS//DTD DocBook XML V4.1.2//EN"> -->
-<!-- $Id: security.xml,v 1.10 2008/04/04 06:48:17 mozilla%colinogilvie.co.uk Exp $ -->
+<!-- $Id: security.xml,v 1.7 2008/04/04 06:48:14 lpsolit%gmail.com Exp $ -->

 <chapter id="security">
 <title>Bugzilla Security</title>
@@ -352,25 +352,28 @@ skip-networking
    <section id="security-bugzilla-charset">
    <title>Prevent users injecting malicious Javascript</title>

-      <para>If you installed Bugzilla version 2.22 or later from scratch,
-      then the <emphasis>utf8</emphasis> parameter is switched on by default.
-      This makes Bugzilla explicitly set the character encoding, following
+      <para>It is possible for a Bugzilla user to take advantage of character
+      set encoding ambiguities to inject HTML into Bugzilla comments. This
+      could include malicious scripts. 
+      Due to internationalization concerns, we are unable to
+      incorporate by default the code changes suggested by 
      <ulink
-      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">a
-      CERT advisory</ulink> recommending exactly this.
-      The following therefore does not apply to you; just keep
-      <emphasis>utf8</emphasis> turned on.
+      url="http://www.cert.org/tech_tips/malicious_code_mitigation.html#3">the
+      CERT advisory</ulink> on this issue.
+      Making the change in <xref linkend="security-bugzilla-charset-ex"/> will
+      prevent this problem. 
      </para>

-      <para>If you've upgraded from an older version, then it may be possible
-      for a Bugzilla user to take advantage of character set encoding
-      ambiguities to inject HTML into Bugzilla comments.
-      This could include malicious scripts. 
-      This is because due to internationalization concerns, we are unable to
-      turn the <emphasis>utf8</emphasis> parameter on by default for upgraded
-      installations.
-      Turning it on manually will prevent this problem.
-      </para>
+      <example id="security-bugzilla-charset-ex">
+      <title>Forcing Bugzilla to output a charset</title>
+
+        <para>Locate the following line in
+        <filename>Bugzilla/CGI.pm</filename>:
+        <programlisting>$self->charset('');</programlisting>
+        and change it to:
+        <programlisting>$self->charset('UTF-8');</programlisting>
+        </para>
+      </example>
    </section>    
    
  </section>

--- a/docs/en/xml/using.xml
+++ b/docs/en/xml/using.xml
@@ -290,7 +290,7 @@
  <section id="query">
    <title>Searching for Bugs</title>

-    <para>The Bugzilla Search page is the interface where you can find
+    <para>The Bugzilla Search page is is the interface where you can find
    any bug report, comment, or patch currently in the Bugzilla system. You
    can play with it here: 
    <ulink url="&landfillbase;query.cgi"/>.</para>
@@ -796,76 +796,27 @@
  <section id="userpreferences">
    <title>User Preferences</title>

-    <para>Once you have logged in, you can customise various aspects of
+    <para>Once you have logged in, you can customise various aspects of 
    Bugzilla via the "Edit prefs" link in the page footer.
    The preferences are split into three tabs:</para>

-    <section id="accountpreferences" xreflabel="Account Preferences">
-      <title>Account Preferences</title>
+    <section id="accountsettings" xreflabel="Account Settings">
+      <title>Account Settings</title>

      <para>On this tab, you can change your basic account information,
      including your password, email address and real name. For security
-      reasons, in order to change anything on this page you must type your
+      reasons, in order to change anything on this page you must type your 
      <emphasis>current</emphasis>
-      password into the
+      password into the 
      <quote>Password</quote>
-      field at the top of the page.
+      field at the top of the page. 
      If you attempt to change your email address, a confirmation
      email is sent to both the old and new addresses, with a link to use to
      confirm the change. This helps to prevent account hijacking.</para>
    </section>

-    <section id="generalpreferences" xreflabel="General Preferences">
-      <title>General Preferences</title>
-
-      <para>
-        This tab allows you to change several Bugzilla behavior.
-      </para>
-
-      <itemizedlist spacing="compact">
-        <listitem>
-          <para>
-            Field separator character for CSV files -
-            This controls separator character used in CSV formatted Bug List.
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            After changing bugs - This controls which bugs or no bugs
-            are shown in the page after you changed bugs.
-            You can select the bug you've changed this time, or the next
-            bug of the list.
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            Add individual bugs to saved searches - this controls
-            whether you can add individual bugs to saved searches
-            or you can't.
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            When viewing a bug, show comments in this order -
-            This controls the order of comments, you can select below:
-            <simplelist>
-              <member>Initial description, comment 1, comment 2, ...</member>
-              <member>Initial description, last comment, ..., comment 2, comment 1.</member>
-              <member>Initial last comment, ..., comment 2, comment 1, description.</member>
-            </simplelist>
-          </para>
-        </listitem>
-        <listitem>
-          <para>
-            Show a quip at the top of each bug list - This controls
-            whether a quip will be shown on the Bug list page or not.
-          </para>
-        </listitem>
-      </itemizedlist>
-    </section>
-
-    <section id="emailpreferences">
-      <title>Email Preferences</title>
+    <section id="emailsettings">
+      <title>Email Settings</title>

      <para>
        This tab controls the amount of email Bugzilla sends you.
@@ -901,7 +852,7 @@
          Your Bugzilla administrator can stop a user from receiving
          bugmail by adding the user's name to the 
          <filename>data/nomail</filename> file. This is a drastic step
-          best taken only for disabled accounts, as it overrides 
+          best taken only for disabled accounts, as it overrides the 
          the user's individual mail preferences.
        </para>
      </note>
@@ -1222,14 +1173,6 @@
      appended to the flag name within parentheses.  For example, if Jack
      asks Jill for review, it appears as Jack: review [ ? ] (Jill).
    </para>
-
-    <para>
-      You can browse through open requests made of you and by you by selecting
-      'My Requests' from the footer. You can also look at open requests limited
-      by other requesters, requestees, products, components, and flag names from
-      this page. Note that you can use '-' for requestee to specify flags with
-      'no requestee' set.
-    </para>
  </section>

  <section id="whining">