summaryrefslogtreecommitdiffstats
path: root/Bugzilla/WebService
diff options
context:
space:
mode:
authorDavid Lawrence <dkl@mozilla.com>2015-03-11 15:26:14 +0100
committerDavid Lawrence <dkl@mozilla.com>2015-03-11 15:26:14 +0100
commitc3b984aa204bdb318b05302ab50702b789c305b0 (patch)
treef33eb6bbfa25bf771848e22b026733f8b2d0d67b /Bugzilla/WebService
parent74fb163c93ccb10475f507b4b1fe7f4817990a10 (diff)
downloadbugzilla-c3b984aa204bdb318b05302ab50702b789c305b0.tar.gz
bugzilla-c3b984aa204bdb318b05302ab50702b789c305b0.tar.xz
Bug 1141440: OPTION response for CORS requests to REST doesn't allow X-Bugzilla headers
r=glob,a=glob
Diffstat (limited to 'Bugzilla/WebService')
-rw-r--r--Bugzilla/WebService/Constants.pm12
-rw-r--r--Bugzilla/WebService/Server/REST.pm4
-rw-r--r--Bugzilla/WebService/Util.pm14
3 files changed, 19 insertions, 11 deletions
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index cf2666551..42aa600ee 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -33,6 +33,8 @@ our @EXPORT = qw(
REST_CONTENT_TYPE_WHITELIST
WS_DISPATCH
+
+ API_AUTH_HEADERS
);
# This maps the error names in global/*-error.html.tmpl to numbers.
@@ -313,6 +315,16 @@ sub WS_DISPATCH {
return $dispatch;
};
+# Custom HTTP headers that can be used for API authentication rather than
+# passing as URL parameters. This is useful if you do not want sensitive
+# information to show up in webserver log files.
+use constant API_AUTH_HEADERS => {
+ X_BUGZILLA_LOGIN => 'Bugzilla_login',
+ X_BUGZILLA_PASSWORD => 'Bugzilla_password',
+ X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
+ X_BUGZILLA_TOKEN => 'Bugzilla_token',
+};
+
1;
=head1 B<Methods in need of POD>
diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index d02ba5523..9c9141c09 100644
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -134,8 +134,10 @@ sub response {
{ rpc => $self, result => \$result, response => $response });
# Access Control
+ my @allowed_headers = (qw(accept content-type origin x-requested-with),
+ map { tr/A-Z_/a-z\-/r } keys API_AUTH_HEADERS());
$response->header("Access-Control-Allow-Origin", "*");
- $response->header("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with");
+ $response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers));
# ETag support
my $etag = $self->bz_etag;
diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index 4eae66bd3..cbbc47921 100644
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -14,6 +14,7 @@ use warnings;
use Bugzilla::Flag;
use Bugzilla::FlagType;
use Bugzilla::Error;
+use Bugzilla::WebService::Constants;
use Storable qw(dclone);
use URI::Escape qw(uri_unescape);
@@ -261,22 +262,15 @@ sub params_to_objects {
return \@objects;
}
-use constant X_HEADERS => {
- X_BUGZILLA_LOGIN => 'Bugzilla_login',
- X_BUGZILLA_PASSWORD => 'Bugzilla_password',
- X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
- X_BUGZILLA_TOKEN => 'Bugzilla_token',
-};
-
sub fix_credentials {
my ($params, $cgi) = @_;
# Allow user to pass in authentication details in X-Headers
# This allows callers to keep credentials out of GET request query-strings
if ($cgi) {
- foreach my $field (keys %{ X_HEADERS() }) {
- next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) // '' eq '';
- $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field));
+ foreach my $field (keys %{ API_AUTH_HEADERS() }) {
+ next if exists $params->{API_AUTH_HEADERS->{$field}} || ($cgi->http($field) // '') eq '';
+ $params->{API_AUTH_HEADERS->{$field}} = uri_unescape($cgi->http($field));
}
}