summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
authorDave Lawrence <dlawrence@mozilla.com>2012-02-22 16:48:50 +0100
committerDave Lawrence <dlawrence@mozilla.com>2012-02-22 16:48:50 +0100
commit0af9c776bc5223556c9140378a7a1ab76d94a7c0 (patch)
treed3c98ddad84d0016185362998f7ea6d7bd6141d7 /Bugzilla
parenta50a0814289d7a27acfb6e7ae6308bea5faa072e (diff)
downloadbugzilla-0af9c776bc5223556c9140378a7a1ab76d94a7c0.tar.gz
bugzilla-0af9c776bc5223556c9140378a7a1ab76d94a7c0.tar.xz
Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the XML-RPC API when using mod_perl
r/a=LpSolit
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/WebService/Constants.pm8
-rw-r--r--Bugzilla/WebService/Server/XMLRPC.pm8
2 files changed, 16 insertions, 0 deletions
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index c2eaa0cb2..491970291 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -14,6 +14,7 @@ our @EXPORT = qw(
WS_ERROR_CODE
ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ XMLRPC_CONTENT_TYPE_WHITELIST
WS_DISPATCH
);
@@ -162,6 +163,8 @@ use constant WS_ERROR_CODE => {
unknown_method => -32601,
json_rpc_post_only => 32610,
json_rpc_invalid_callback => 32611,
+ xmlrpc_illegal_content_type => 32612,
+ json_rpc_illegal_content_type => 32613,
};
# These are the fallback defaults for errors not in ERROR_CODE.
@@ -170,6 +173,11 @@ use constant ERROR_UNKNOWN_TRANSIENT => 32000;
use constant ERROR_GENERAL => 999;
+use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw(
+ text/xml
+ application/xml
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 67e7b7555..33a1e92d3 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -73,10 +73,18 @@ use XMLRPC::Lite;
our @ISA = qw(XMLRPC::Deserializer);
use Bugzilla::Error;
+use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
use Scalar::Util qw(tainted);
sub deserialize {
my $self = shift;
+
+ # Only allow certain content types to protect against CSRF attacks
+ if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) {
+ ThrowUserError('xmlrpc_illegal_content_type',
+ { content_type => $ENV{'CONTENT_TYPE'} });
+ }
+
my ($xml) = @_;
my $som = $self->SUPER::deserialize(@_);
if (tainted($xml)) {