On Thu, Jun 14, 2012 at 8:56 AM, "Martin v. Löwis" <[email protected]> wrote: >> Navigating to bugs.jython.org is giving a security warning (at least >> from chrome) -- bugs.python.org is fine. > > > I have now de-spammed the tracker, and requested rescanning, which > caused the security warning to be dropped. > > It would still be good if the tracker didn't accept HTML attachments, > but treats them all as text/plain; see bugs.python.org for a reference > on how this can be done.
I don't what people are supposed to find by looking at bugs.python.org, but a quick reply from roundup-devel revealed that allow_html_file option. See below. This option since inception always was set to "no", so the quiestion is who set it to "yes" for Jython tracker and why? ---------- Forwarded message ---------- From: John P. Rouillard <[email protected]> Date: Thu, Jun 14, 2012 at 4:16 PM Subject: Re: [Roundup-devel] Fwd: [pydotorg-www] bugs.jython giving security warning To: anatoly techtonik <[email protected]> Cc: roundup-devel <[email protected]> In message <capkn8xlg0uucptd6ibkr8ybyhqtzgbogqhucdhtsd4hf6hz...@mail.gmail.com> , anatoly techtonik writes: >Does Roundup allow attaching arbitrary HTML Yes > and render it? Only if you tell it to. In the tracker you will find this setting in config.ini in the [web] section: [web] # Setting this option enables Roundup to serve uploaded HTML # file content *as HTML*. This is a potential security risk # and is therefore disabled by default. Set to 'yes' if you # trust *all* users uploading content to your tracker. # Allowed values: yes, no # Default: no allow_html_file = no if you ignore the warning and set this to yes then the HTML will be rendered. >Is it possible to steal Roundup cookies this way and hijack sessions? Yes it could be used for various things. -- -- rouilj John Rouillard =========================================================================== My employers don't acknowledge my existence much less my opinions. _______________________________________________ pydotorg-www mailing list [email protected] http://mail.python.org/mailman/listinfo/pydotorg-www
