diff options
author | Dave Lawrence <dlawrence@mozilla.com> | 2012-01-31 17:25:07 +0100 |
---|---|---|
committer | Dave Lawrence <dlawrence@mozilla.com> | 2012-01-31 17:25:07 +0100 |
commit | 0e5047a0f59e50741efaada8b3d13e9a86178bea (patch) | |
tree | 89899a40a2db1dead0356e791e85c26e03292b42 /Bugzilla/WebService/Server/JSONRPC.pm | |
parent | f595c7e8156343c75b64516d73f58d8e7e50e02d (diff) | |
parent | 0b14241a7c307a2619cb67cee42086b30fa03795 (diff) | |
download | bugzilla-0e5047a0f59e50741efaada8b3d13e9a86178bea.tar.gz bugzilla-0e5047a0f59e50741efaada8b3d13e9a86178bea.tar.xz |
merged with bugzilla/4.2
Diffstat (limited to 'Bugzilla/WebService/Server/JSONRPC.pm')
-rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 14 |
1 files changed, 13 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3b232aafa..cec1c29ea 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -365,7 +365,19 @@ sub _argument_type_check { Bugzilla->input_params($params); - if ($self->request->method ne 'POST') { + if ($self->request->method eq 'POST') { + # CSRF is possible via XMLHttpRequest when the Content-Type header + # is not application/json (for example: text/plain or + # application/x-www-form-urlencoded). + # application/json is the single official MIME type, per RFC 4627. + my $content_type = $self->cgi->content_type; + # The charset can be appended to the content type, so we use a regexp. + if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) { + ThrowUserError('json_rpc_illegal_content_type', + { content_type => $content_type }); + } + } + else { # When being called using GET, we don't allow calling # methods that can change data. This protects us against cross-site # request forgeries. |