Daryl C. W. O'Shea wrote, On 17/01/10 4:21 PM: > Does anyone else find it annoying that Bugzilla no longer opens text > attachments (like patches) in your browser, and instead triggers a file > download. I think this happened when BZ was upgraded to version 3.
That was probably related to one of the security issues described in http://www.bugzilla.org/security/2.22.6/ "Bugzilla users can upload HTML or JavaScript attachments that are then viewed by other users in their web browsers. A malicious user could trick another Bugzilla user into viewing a malicious attachment that could then operate as that user. Since Bugzilla would view attachments using the same domain name as the rest of the application, such malicious attachments could access the cookies of the user and perform other activities usually restricted by the cross-site request protections of web browsers." There are options to allow attachments to be opened in the browser as before, and to do it a bit more safely by having the display be in a different domain, but I don't think we would want to take the chance of an attack based on Javascript embedded in an attachment. -- sidney
