Bug 1090275: WebServices modules should maintain a whitelist of methods that are allowed instead of allowing access to any function imported into its namespace

r=dylan,a=glob

2 files changed, 17 insertions, 0 deletions

diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 6cda47480..0b2995a66 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -31,6 +31,7 @@ use Bugzilla::Util;
 
 use HTTP::Message;
 use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
 
 #####################################
 # Public JSON::RPC Method Overrides #
@@ -404,6 +405,11 @@ sub _argument_type_check {
         }
     }
 
+    # Only allowed methods to be used from our whitelist
+    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+        ThrowUserError('unknown_method', { method => $self->bz_method_name });
+    }
+
     # This is the best time to do login checks.
     $self->handle_login();
 
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 56b31ffef..a49ac2033 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -20,8 +20,11 @@ if ($ENV{MOD_PERL}) {
 }
 
 use Bugzilla::WebService::Constants;
+use Bugzilla::Error;
 use Bugzilla::Util;
 
+use List::MoreUtils qw(none);
+
 BEGIN {
     # Allow WebService methods to call XMLRPC::Lite's type method directly
     *Bugzilla::WebService::type = sub {
@@ -96,6 +99,14 @@ sub handle_login {
     my ($self, $classes, $action, $uri, $method) = @_;
     my $class = $classes->{$uri};
     my $full_method = $uri . "." . $method;
+    # Only allowed methods to be used from the module's whitelist
+    my $file = $class;
+    $file =~ s{::}{/}g;
+    $file .= ".pm";
+    require $file;
+    if (none { $_ eq $method } $class->PUBLIC_METHODS) {
+        ThrowCodeError('unknown_method', { method => $full_method });
+    }
     $self->SUPER::handle_login($class, $method, $full_method);
     return;
 }