summaryrefslogtreecommitdiffstats
path: root/Bugzilla/WebService
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2015-03-11 15:26:14 +0100
committerDavid Lawrence <dkl@mozilla.com>2015-03-11 15:52:24 +0100
commit7c6230d6f8a9bd3311252c2c66cbb81b1053f5e2 (patch)
treeb043e0dcbaf0595ccb143d8bb3bdcebcdd2dbaec /Bugzilla/WebService
parentd1a2eb853f7ae3af4f4985ddd25b4f32add7db70 (diff)
downloadbugzilla-7c6230d6f8a9bd3311252c2c66cbb81b1053f5e2.tar.gz
bugzilla-7c6230d6f8a9bd3311252c2c66cbb81b1053f5e2.tar.xz
Bug 1141440 - OPTION response for CORS requests to REST doesn't allow X-Bugzilla headers
Diffstat (limited to 'Bugzilla/WebService')
-rw-r--r--Bugzilla/WebService/Constants.pm12
-rw-r--r--Bugzilla/WebService/Server/REST.pm12
-rw-r--r--Bugzilla/WebService/Util.pm14
3 files changed, 18 insertions, 20 deletions
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 34981c565..4678d468d 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -40,6 +40,8 @@ our @EXPORT = qw(
REST_CONTENT_TYPE_WHITELIST
WS_DISPATCH
+
+ API_AUTH_HEADERS
);
# This maps the error names in global/*-error.html.tmpl to numbers.
@@ -295,4 +297,14 @@ sub WS_DISPATCH {
return $dispatch;
};
+# Custom HTTP headers that can be used for API authentication rather than
+# passing as URL parameters. This is useful if you do not want sensitive
+# information to show up in webserver log files.
+use constant API_AUTH_HEADERS => {
+ X_BUGZILLA_LOGIN => 'Bugzilla_login',
+ X_BUGZILLA_PASSWORD => 'Bugzilla_password',
+ X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
+ X_BUGZILLA_TOKEN => 'Bugzilla_token',
+};
+
1;
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index 9ee340ccb..0013903ef 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -141,16 +141,8 @@ sub response {
{ rpc => $self, result => \$result, response => $response });
# Access Control
- my @allowed_headers = qw(
- accept
- content-type
- origin
- x-bugzilla-api-key
- x-bugzilla-login
- x-bugzilla-password
- x-bugzilla-token
- x-requested-with
- );
+ my @allowed_headers = (qw(accept content-type origin x-requested-with),
+ map { tr/A-Z_/a-z\-/r } keys API_AUTH_HEADERS());
$response->header("Access-Control-Allow-Origin", "*");
$response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers));
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index cba18c31e..4280f28e6 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -25,6 +25,7 @@ use strict;
use Bugzilla::Flag;
use Bugzilla::FlagType;
use Bugzilla::Error;
+use Bugzilla::WebService::Constants;
use Storable qw(dclone);
use URI::Escape qw(uri_unescape);
@@ -271,22 +272,15 @@ sub params_to_objects {
return \@objects;
}
-use constant X_HEADERS => {
- X_BUGZILLA_LOGIN => 'Bugzilla_login',
- X_BUGZILLA_PASSWORD => 'Bugzilla_password',
- X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
- X_BUGZILLA_TOKEN => 'Bugzilla_token',
-};
-
sub fix_credentials {
my ($params, $cgi) = @_;
# Allow user to pass in authentication details in X-Headers
# This allows callers to keep credentials out of GET request query-strings
if ($cgi) {
- foreach my $field (keys %{ X_HEADERS() }) {
- next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) // '' eq '';
- $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field));
+ foreach my $field (keys %{ API_AUTH_HEADERS() }) {
+ next if exists $params->{API_AUTH_HEADERS->{$field}} || ($cgi->http($field) // '') eq '';
+ $params->{API_AUTH_HEADERS->{$field}} = uri_unescape($cgi->http($field));
}
}