diff options
author | David Lawrence <dkl@mozilla.com> | 2015-01-21 21:37:49 +0100 |
---|---|---|
committer | David Lawrence <dkl@mozilla.com> | 2015-01-21 21:37:49 +0100 |
commit | 16122921b2f68b490a61cd80ae9ea5ee661ae11b (patch) | |
tree | a92202fcfc92df21b3e8218926203042aecaf918 /Bugzilla/WebService/Server/XMLRPC.pm | |
parent | 4dabf1a9c679f06b3637d3c76e1e05aa83a6d259 (diff) | |
download | bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.gz bugzilla-16122921b2f68b490a61cd80ae9ea5ee661ae11b.tar.xz |
Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace
r=dylan,a=glob
Diffstat (limited to 'Bugzilla/WebService/Server/XMLRPC.pm')
-rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 11 |
1 files changed, 11 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 56b31ffef..a49ac2033 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -20,8 +20,11 @@ if ($ENV{MOD_PERL}) { } use Bugzilla::WebService::Constants; +use Bugzilla::Error; use Bugzilla::Util; +use List::MoreUtils qw(none); + BEGIN { # Allow WebService methods to call XMLRPC::Lite's type method directly *Bugzilla::WebService::type = sub { @@ -96,6 +99,14 @@ sub handle_login { my ($self, $classes, $action, $uri, $method) = @_; my $class = $classes->{$uri}; my $full_method = $uri . "." . $method; + # Only allowed methods to be used from the module's whitelist + my $file = $class; + $file =~ s{::}{/}g; + $file .= ".pm"; + require $file; + if (none { $_ eq $method } $class->PUBLIC_METHODS) { + ThrowCodeError('unknown_method', { method => $full_method }); + } $self->SUPER::handle_login($class, $method, $full_method); return; } |