diff options
| author | mkanat%bugzilla.org <> | 2009-11-09 19:27:52 +0100 |
|---|---|---|
| committer | mkanat%bugzilla.org <> | 2009-11-09 19:27:52 +0100 |
| commit | 5dc75560608d63c6ee8e4c918cace9882f8ddf3b (patch) | |
| tree | 479634a27e51eb3e1a10a04258dbceca416c91cf /Bugzilla/WebService/Server/XMLRPC.pm | |
| parent | 877c8ef605f770b00aeda25588c963ef3d5597af (diff) | |
| download | bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.gz bugzilla-5dc75560608d63c6ee8e4c918cace9882f8ddf3b.tar.xz | |
Bug 513593: Make the WebService taint incoming parameters
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
Diffstat (limited to 'Bugzilla/WebService/Server/XMLRPC.pm')
| -rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 29 |
1 files changed, 29 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index c85614f7a..b2a50712a 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -68,6 +68,18 @@ eval { require XMLRPC::Lite; }; our @ISA = qw(XMLRPC::Deserializer); use Bugzilla::Error; +use Scalar::Util qw(tainted); + +sub deserialize { + my $self = shift; + my ($xml) = @_; + my $som = $self->SUPER::deserialize(@_); + if (tainted($xml)) { + $som->{_bz_do_taint} = 1; + } + bless $som, 'Bugzilla::XMLRPC::SOM'; + return $som; +} # Some method arguments need to be converted in some way, when they are input. sub decode_value { @@ -126,6 +138,23 @@ sub _validation_subs { 1; +package Bugzilla::XMLRPC::SOM; +use strict; +eval { require XMLRPC::Lite; }; +our @ISA = qw(XMLRPC::SOM); +use Bugzilla::WebService::Util qw(taint_data); + +sub paramsin { + my $self = shift; + my $params = $self->SUPER::paramsin(@_); + if ($self->{_bz_do_taint}) { + taint_data($params); + } + return $params; +} + +1; + # This package exists to fix a UTF-8 bug in SOAP::Lite. # See http://rt.cpan.org/Public/Bug/Display.html?id=32952. package Bugzilla::XMLRPC::Serializer; |