User-Agent: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514 Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv:1.7b) Gecko/20040514 When an attachment of MIME Type text/html is added to a bug, it is displayed when attachment.cgi is called with edit or fiew options. When that page contains a redirect to a site outside of the bugzilla server, that page is displayed instead. This seems like it could be a security problem, but people with more knowledge than me should determine that. It seems like more of a problem when the page redirected to is a cgi. An example of the type of file that is attached: <html> <head> <meta http-equiv="refresh" content="0;URL=http://somesite.com/"> </head> <body> </body> </html> I'll try to add an attachment like this as well. If this isn't a problem, please let me know, and I guess if it is a problem, let me know sooner. Thanks Reproducible: Always Steps to Reproduce: 1. add attachment as described above 2. edit attachment Actual Results: was redirected to external page Expected Results: The page was displayed. Appears in both Mozilla and IE. Found this problem in Bugzilla 2.17.6. Seems to still appear in 2.18rc2, but I have not had a chance to install that to verify it.

Attaching an example file forward.html

next time, checkmark the security box for stuff like this... it mails a bunch of extra people to get them hopping on it. :) (not that this issue is exactly hopping, because it's a pain in the butt to fix - see the bug I'm duping it to) *** This bug has been marked as a duplicate of 38862 ***

Hmm, I take that back, reading this a little closer, this isn't actually the same issue (but sort of related anyway). I really don't know if there's much we can do about this... Jesse's probably the guy to tell us what to do here.

Jesse: any thoughts?

I don't think redirecting attachments are a problem.

What's the status of this bug? Still a security bug? Still open? Maybe the reporter wondered if it was possible for the called website to access bugzilla cookies or to launch some script/SQL request on behalf of some bugzilla user.

I don't think this is either a bug or a security bug - I agree with Jesse. Suggest WONTFIX. Gerv

Marking the bug as WONTFIX per comments 5 and 7; but letting the security flag for now. If you disagree, reopen the bug, else remove the security flag.