html attachments in bugzilla pose security risk when opened by people with power(tm). with javascript it seems possible to read cookies and restricted bugs. even without javascript, it seems possible for attachments to perform actions on behalf of people with power(tm) - like creating saved searches, probably opening restricted bugs, group fun, etc. demo for creating a saved search: https://bugzilla.mozilla.org/attachment.cgi?id=207978&action=view (probably will work even from host that is not b.m.o). with javascript on, http POST fun probably is possible, if someone thinks GET is the problem. https://bugzilla.mozilla.org/buglist.cgi?newquery=query_format%3Dadvanced%26short_desc_type%3Dallwordssubstr%26short_desc%3D%26long_desc_type%3Dsubstring%26long_desc%3Dfuck%26bug_file_loc_type%3Dallwordssubstr%26bug_file_loc%3D%26status_whiteboard_type%3Dallwordssubstr%26status_whiteboard%3D%26keywords_type%3Dallwords%26keywords%3D%26resolution%3DDUPLICATE%26resolution%3D---%26emailassigned_to1%3D1%26emailtype1%3Dexact%26email1%3D%26emailassigned_to2%3D1%26emailreporter2%3D1%26emailqa_contact2%3D1%26emailtype2%3Dexact%26email2%3D%26bugidtype%3Dinclude%26bug_id%3D%26votes%3D%26chfieldfrom%3D%26chfieldto%3DNow%26chfieldvalue%3D%26remtype%3Dasdefault%26field0-0-0%3Dnoop%26type0-0-0%3Dnoop%26value0-0-0%3D&cmdtype=doit&remtype=asnamed&newqueryname=fuck1

creates saved search

The JS/cookie stuff is bug 38862. Performing actions on behalf of people with power is bug 26257 and bug 281181. *** This bug has been marked as a duplicate of 38862 ***

This bug is being removed from the security group because the bug that it is a duplicate of is now public, since it has been fixed and a Security Advisory has been sent about it. See bug 468249 for the Security Advisory.