summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDave Lawrence <dlawrence@mozilla.com>2013-09-26 17:10:35 +0200
committerDave Lawrence <dlawrence@mozilla.com>2013-09-26 17:10:35 +0200
commit4180e54e7b2c2a147954425312bf1cd485b14d24 (patch)
tree09e9a938e21d5ea1d2b267cdb8131d071212a11b
parent69016099b3a2ae057f5e33ec30545a8209589446 (diff)
downloadbugzilla-4180e54e7b2c2a147954425312bf1cd485b14d24.tar.gz
bugzilla-4180e54e7b2c2a147954425312bf1cd485b14d24.tar.xz
Bug 917669 - invalid or expired authentication tokens and cookies should throw errors, not be silently ignored
-rw-r--r--Bugzilla/Auth/Login/Cookie.pm21
-rw-r--r--Bugzilla/Template.pm5
-rw-r--r--Bugzilla/Util.pm17
-rw-r--r--Bugzilla/WebService.pm7
-rw-r--r--template/en/default/global/user-error.html.tmpl5
5 files changed, 41 insertions, 14 deletions
diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index 88c48e236..4f4ef80ab 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -21,6 +21,7 @@ use base qw(Bugzilla::Auth::Login);
use Bugzilla::Constants;
use Bugzilla::Util;
+use Bugzilla::Error;
use List::Util qw(first);
@@ -80,7 +81,9 @@ sub get_login_info {
AND (ipaddr = ? OR ipaddr IS NULL)',
undef, ($login_cookie, $user_id, $ip_addr));
- # If the cookie is valid, return a valid username.
+ # If the cookie or token is valid, return a valid username.
+ # If they were not valid and we are using a webservice, then
+ # throw an error notifying the client.
if ($is_valid) {
# If we logged in successfully, then update the lastused
# time on the login cookie
@@ -88,12 +91,16 @@ sub get_login_info {
WHERE cookie = ?", undef, $login_cookie);
return { user_id => $user_id };
}
+ elsif (i_am_webservice()) {
+ ThrowUserError('invalid_cookies_or_token');
+ }
}
- # Either the he cookie is invalid, or we got no cookie. We don't want
- # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to
- # actually throw an error when it gets a bad cookie. It should just
- # look like there was no cookie to begin with.
+ # Either the cookie or token is invalid and we are not authenticating
+ # via a webservice, or we did not receive a cookie or token. We don't
+ # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to
+ # actually throw an error when it gets a bad cookie or token. It should just
+ # look like there was no cookie or token to begin with.
return { failure => AUTH_NODATA };
}
@@ -104,9 +111,7 @@ sub login_token {
return $self->{'_login_token'} if exists $self->{'_login_token'};
- if ($usage_mode ne USAGE_MODE_XMLRPC
- && $usage_mode ne USAGE_MODE_JSON
- && $usage_mode ne USAGE_MODE_REST) {
+ if (!i_am_webservice()) {
return $self->{'_login_token'} = undef;
}
diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm
index 434e49da5..81202965c 100644
--- a/Bugzilla/Template.pm
+++ b/Bugzilla/Template.pm
@@ -824,10 +824,7 @@ sub create {
# (Wrapping the message in the WebService is unnecessary
# and causes awkward things like \n's appearing in error
# messages in JSON-RPC.)
- unless (Bugzilla->usage_mode == USAGE_MODE_JSON
- or Bugzilla->usage_mode == USAGE_MODE_XMLRPC
- or Bugzilla->usage_mode == USAGE_MODE_REST)
- {
+ unless (i_am_webservice()) {
$var = wrap_comment($var, 72);
}
$var =~ s/\&nbsp;/ /g;
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 96dad8327..51bfdb1d3 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -36,8 +36,8 @@ use base qw(Exporter);
detaint_signed
html_quote url_quote xml_quote
css_class_quote html_light_quote
- i_am_cgi correct_urlbase remote_ip validate_ip
- do_ssl_redirect_if_required use_attachbase
+ i_am_cgi i_am_webservice correct_urlbase remote_ip
+ validate_ip do_ssl_redirect_if_required use_attachbase
diff_arrays on_main_db
trim wrap_hard wrap_comment find_wrap_point
format_time validate_date validate_time datetime_from
@@ -259,6 +259,13 @@ sub i_am_cgi {
return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0;
}
+sub i_am_webservice {
+ my $usage_mode = Bugzilla->usage_mode;
+ return $usage_mode == USAGE_MODE_XMLRPC
+ || $usage_mode == USAGE_MODE_JSON
+ || $usage_mode == USAGE_MODE_REST;
+}
+
# This exists as a separate function from Bugzilla::CGI::redirect_to_https
# because we don't want to create a CGI object during XML-RPC calls
# (doing so can mess up XML-RPC).
@@ -849,6 +856,7 @@ Bugzilla::Util - Generic utility functions for bugzilla
# Functions that tell you about your environment
my $is_cgi = i_am_cgi();
+ my $is_webservice = i_am_webservice();
my $urlbase = correct_urlbase();
# Data manipulation
@@ -978,6 +986,11 @@ Tells you whether or not you are being run as a CGI script in a web
server. For example, it would return false if the caller is running
in a command-line script.
+=item C<i_am_webservice()>
+
+Tells you whether or not the current usage mode is WebServices related
+such as JSONRPC, XMLRPC, or REST.
+
=item C<correct_urlbase()>
Returns either the C<sslbase> or C<urlbase> parameter, depending on the
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 8f97a3a2f..a53c45261 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -188,6 +188,13 @@ For REST, you may also use the C<username> and C<password> variable
names instead of C<Bugzilla_login> and C<Bugzilla_password> as a
convenience.
+=item B<Added in Bugzilla 5.0>
+
+An error is now thrown if you pass invalid cookies or an invalid token.
+You will need to log in again to get new cookies or a new token. Previous
+releases simply ignored invalid cookies and token support was added in
+Bugzilla B<5.0>.
+
=back
=head1 STABLE, EXPERIMENTAL, and UNSTABLE
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index e85ecaada..0bd3dd15e 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1030,6 +1030,11 @@
[%+ constants.LOGIN_LOCKOUT_INTERVAL FILTER html %] minutes.
[% END %]
+ [% ELSIF error == "invalid_cookies_or_token" %]
+ [% title = "Invalid Cookies or Token" %]
+ The cookies or token provide were not valid or have expired.
+ You may login again to get new cookies or a new token.
+
[% ELSIF error == "json_rpc_get_method_required" %]
When using JSON-RPC over GET, you must specify a 'method'
parameter. See the documentation at