summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2012-01-31 17:01:20 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2012-01-31 17:01:20 +0100
commit0b14241a7c307a2619cb67cee42086b30fa03795 (patch)
treed1464df034d24a8923581d885949b8cecea1205d
parent6c81a8674ac77562584d5033561f8b4d947f23bb (diff)
downloadbugzilla-0b14241a7c307a2619cb67cee42086b30fa03795.tar.gz
bugzilla-0b14241a7c307a2619cb67cee42086b30fa03795.tar.xz
(CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required)
r=mkanat a=LpSolit https://bugzilla.mozilla.org/show_bug.cgi?id=718319
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm14
-rw-r--r--template/en/default/global/user-error.html.tmpl5
2 files changed, 18 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 3b232aafa..cec1c29ea 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -365,7 +365,19 @@ sub _argument_type_check {
Bugzilla->input_params($params);
- if ($self->request->method ne 'POST') {
+ if ($self->request->method eq 'POST') {
+ # CSRF is possible via XMLHttpRequest when the Content-Type header
+ # is not application/json (for example: text/plain or
+ # application/x-www-form-urlencoded).
+ # application/json is the single official MIME type, per RFC 4627.
+ my $content_type = $self->cgi->content_type;
+ # The charset can be appended to the content type, so we use a regexp.
+ if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) {
+ ThrowUserError('json_rpc_illegal_content_type',
+ { content_type => $content_type });
+ }
+ }
+ else {
# When being called using GET, we don't allow calling
# methods that can change data. This protects us against cross-site
# request forgeries.
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index dc0a94ac7..9e99dae15 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1018,6 +1018,11 @@
parameter. See the documentation at
[%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html
+ [% ELSIF error == "json_rpc_illegal_content_type" %]
+ When using JSON-RPC over POST, you cannot send data as
+ [%+ content_type FILTER html %]. Only application/json and
+ application/json-rpc are allowed.
+
[% ELSIF error == "json_rpc_invalid_params" %]
Could not parse the 'params' argument as valid JSON.
Error: [% err_msg FILTER html %]