[pydotorg-www] bugs.jython giving security warning
techtonik at gmail.com
Thu Jun 14 15:27:33 CEST 2012
On Thu, Jun 14, 2012 at 8:56 AM, "Martin v. Löwis" <martin at v.loewis.de> wrote:
>> Navigating to bugs.jython.org is giving a security warning (at least
>> from chrome) -- bugs.python.org is fine.
> I have now de-spammed the tracker, and requested rescanning, which
> caused the security warning to be dropped.
> It would still be good if the tracker didn't accept HTML attachments,
> but treats them all as text/plain; see bugs.python.org for a reference
> on how this can be done.
I don't what people are supposed to find by looking at
bugs.python.org, but a quick reply from roundup-devel revealed that
allow_html_file option. See below. This option since inception always
was set to "no", so the quiestion is who set it to "yes" for Jython
tracker and why?
---------- Forwarded message ----------
From: John P. Rouillard <rouilj at cs.umb.edu>
Date: Thu, Jun 14, 2012 at 4:16 PM
Subject: Re: [Roundup-devel] Fwd: [pydotorg-www] bugs.jython giving
To: anatoly techtonik <techtonik at gmail.com>
Cc: roundup-devel <roundup-devel at lists.sourceforge.net>
<CAPkN8xLg0uuCptd6iBKR8ybyhQTzgBogqhucDHTsD4hF6HzQcQ at mail.gmail.com> ,
anatoly techtonik writes:
>Does Roundup allow attaching arbitrary HTML
> and render it?
Only if you tell it to.
In the tracker you will find this setting in config.ini in the [web] section:
# Setting this option enables Roundup to serve uploaded HTML
# file content *as HTML*. This is a potential security risk
# and is therefore disabled by default. Set to 'yes' if you
# trust *all* users uploading content to your tracker.
# Allowed values: yes, no
# Default: no
allow_html_file = no
if you ignore the warning and set this to yes then the HTML will be
>Is it possible to steal Roundup cookies this way and hijack sessions?
Yes it could be used for various things.
My employers don't acknowledge my existence much less my opinions.
More information about the pydotorg-www