diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-31 16:56:42 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2012-01-31 16:56:42 +0100 |
| commit | d141a53e150c68b5a662a0ee625fc398ab164378 (patch) | |
| tree | 61a720c40f9da5333c8b89b3ffaff8c62f7eaa67 | |
| parent | 4e10a0b85df1228abc0b59ff7b4e830cb28ee093 (diff) | |
| download | bugzilla-d141a53e150c68b5a662a0ee625fc398ab164378.tar.gz bugzilla-d141a53e150c68b5a662a0ee625fc398ab164378.tar.xz | |
Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required)
r=mkanat a=LpSolit
| -rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 14 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 5 |
2 files changed, 18 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 8d12b7178..804d7874e 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -351,7 +351,19 @@ sub _argument_type_check { Bugzilla->input_params($params); - if ($self->request->method ne 'POST') { + if ($self->request->method eq 'POST') { + # CSRF is possible via XMLHttpRequest when the Content-Type header + # is not application/json (for example: text/plain or + # application/x-www-form-urlencoded). + # application/json is the single official MIME type, per RFC 4627. + my $content_type = $self->cgi->content_type; + # The charset can be appended to the content type, so we use a regexp. + if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) { + ThrowUserError('json_rpc_illegal_content_type', + { content_type => $content_type }); + } + } + else { # When being called using GET, we don't allow calling # methods that can change data. This protects us against cross-site # request forgeries. diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index f5274b8bd..fdd2fb980 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1007,6 +1007,11 @@ parameter. See the documentation at [%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html + [% ELSIF error == "json_rpc_illegal_content_type" %] + When using JSON-RPC over POST, you cannot send data as + [%+ content_type FILTER html %]. Only application/json and + application/json-rpc are allowed. + [% ELSIF error == "json_rpc_invalid_params" %] Could not parse the 'params' argument as valid JSON. Error: [% err_msg FILTER html %] |