diff options
| -rw-r--r-- | Bugzilla/Constants.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/WebService/Constants.pm | 8 | ||||
| -rw-r--r-- | Bugzilla/WebService/Server/XMLRPC.pm | 8 | ||||
| -rw-r--r-- | docs/en/xml/Bugzilla-Guide.xml | 9 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 5 | ||||
| -rw-r--r-- | template/en/default/whine/mail.html.tmpl | 4 |
6 files changed, 28 insertions, 8 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm index d50c8c83c..0f979c9f8 100644 --- a/Bugzilla/Constants.pm +++ b/Bugzilla/Constants.pm @@ -202,7 +202,7 @@ use Memoize; # CONSTANTS # # Bugzilla version -use constant BUGZILLA_VERSION => "4.2rc2+"; +use constant BUGZILLA_VERSION => "4.2+"; # Location of the remote and local XML files to track new releases. use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml'; diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index ab3111eed..59aab9b55 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -24,6 +24,7 @@ our @EXPORT = qw( WS_ERROR_CODE ERROR_UNKNOWN_FATAL ERROR_UNKNOWN_TRANSIENT + XMLRPC_CONTENT_TYPE_WHITELIST WS_DISPATCH ); @@ -172,6 +173,8 @@ use constant WS_ERROR_CODE => { unknown_method => -32601, json_rpc_post_only => 32610, json_rpc_invalid_callback => 32611, + xmlrpc_illegal_content_type => 32612, + json_rpc_illegal_content_type => 32613, }; # These are the fallback defaults for errors not in ERROR_CODE. @@ -180,6 +183,11 @@ use constant ERROR_UNKNOWN_TRANSIENT => 32000; use constant ERROR_GENERAL => 999; +use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw( + text/xml + application/xml +); + sub WS_DISPATCH { # We "require" here instead of "use" above to avoid a dependency loop. require Bugzilla::Hook; diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index 5c3677993..822709d85 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -86,10 +86,18 @@ use XMLRPC::Lite; our @ISA = qw(XMLRPC::Deserializer); use Bugzilla::Error; +use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Scalar::Util qw(tainted); sub deserialize { my $self = shift; + + # Only allow certain content types to protect against CSRF attacks + if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) { + ThrowUserError('xmlrpc_illegal_content_type', + { content_type => $ENV{'CONTENT_TYPE'} }); + } + my ($xml) = @_; my $som = $self->SUPER::deserialize(@_); if (tainted($xml)) { diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml index 741a09c2f..db33e8d57 100644 --- a/docs/en/xml/Bugzilla-Guide.xml +++ b/docs/en/xml/Bugzilla-Guide.xml @@ -32,12 +32,12 @@ For a devel release, simple bump bz-ver and bz-date --> -<!ENTITY bz-ver "4.2rc2"> -<!ENTITY bz-nextver "4.2"> -<!ENTITY bz-date "2012-01-31"> +<!ENTITY bz-ver "4.2"> +<!ENTITY bz-nextver "4.4"> +<!ENTITY bz-date "2012-02-22"> <!ENTITY current-year "2012"> -<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/"> +<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/"> <!ENTITY bz "http://www.bugzilla.org/"> <!ENTITY bzg-bugs "<ulink url='https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&component=Documentation'>Bugzilla Documentation</ulink>"> <!ENTITY mysql "http://www.mysql.com/"> @@ -74,7 +74,6 @@ <bookinfo> <title>The Bugzilla Guide - &bz-ver; - <!-- BZ-DEVEL -->Development <!-- /BZ-DEVEL --> Release</title> <authorgroup> diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index acdb11381..6d95850dd 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1738,6 +1738,11 @@ <[% type FILTER html %]> field. (See the XML-RPC specification for details.) + [% ELSIF error == "xmlrpc_illegal_content_type" %] + When using XML-RPC, you cannot send data as + [%+ content_type FILTER html %]. Only text/xml + and application/xml are allowed. + [% ELSIF error == "zero_length_file" %] [% title = "File Is Empty" %] The file you are trying to attach is empty, does not exist, or you don't diff --git a/template/en/default/whine/mail.html.tmpl b/template/en/default/whine/mail.html.tmpl index ae4f00cfc..a7bff5038 100644 --- a/template/en/default/whine/mail.html.tmpl +++ b/template/en/default/whine/mail.html.tmpl @@ -40,9 +40,9 @@ </head> <body bgcolor="#FFFFFF"> - <p align="left"> + <pre> [% body FILTER html %] - </p> + </pre> <p align="left"> [% IF author.login == recipient.login %] |