Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace

r=dylan,a=glob
author: David Lawrence <dkl@mozilla.com> 2015-01-21 21:37:49 +0100
committer: David Lawrence <dkl@mozilla.com> 2015-01-21 21:37:49 +0100
commit: 16122921b2f68b490a61cd80ae9ea5ee661ae11b (patch)
tree: a92202fcfc92df21b3e8218926203042aecaf918 /Bugzilla/WebService/Server/JSONRPC.pm
parent: 4dabf1a9c679f06b3637d3c76e1e05aa83a6d259 (diff)
download: bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.gz
bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.xz
1 files changed, 6 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 6cda47480..0b2995a66 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -31,6 +31,7 @@ use Bugzilla::Util;
 
 use HTTP::Message;
 use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
 
 #####################################
 # Public JSON::RPC Method Overrides #
@@ -404,6 +405,11 @@ sub _argument_type_check {
         }
     }
 
+    # Only allowed methods to be used from our whitelist
+    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+        ThrowUserError('unknown_method', { method => $self->bz_method_name });
+    }
+
     # This is the best time to do login checks.
     $self->handle_login();
author	David Lawrence <dkl@mozilla.com>	2015-01-21 21:37:49 +0100
committer	David Lawrence <dkl@mozilla.com>	2015-01-21 21:37:49 +0100
commit	16122921b2f68b490a61cd80ae9ea5ee661ae11b (patch)
tree	a92202fcfc92df21b3e8218926203042aecaf918 /Bugzilla/WebService/Server/JSONRPC.pm
parent	4dabf1a9c679f06b3637d3c76e1e05aa83a6d259 (diff)
download	bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.gz bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.xz