summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--Bugzilla/Constants.pm2
-rw-r--r--Bugzilla/WebService/Constants.pm8
-rw-r--r--Bugzilla/WebService/Server/XMLRPC.pm8
-rw-r--r--docs/en/xml/Bugzilla-Guide.xml9
-rw-r--r--template/en/default/global/user-error.html.tmpl5
-rw-r--r--template/en/default/whine/mail.html.tmpl4
6 files changed, 28 insertions, 8 deletions
diff --git a/Bugzilla/Constants.pm b/Bugzilla/Constants.pm
index d50c8c83c..0f979c9f8 100644
--- a/Bugzilla/Constants.pm
+++ b/Bugzilla/Constants.pm
@@ -202,7 +202,7 @@ use Memoize;
# CONSTANTS
#
# Bugzilla version
-use constant BUGZILLA_VERSION => "4.2rc2+";
+use constant BUGZILLA_VERSION => "4.2+";
# Location of the remote and local XML files to track new releases.
use constant REMOTE_FILE => 'http://updates.bugzilla.org/bugzilla-update.xml';
diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index ab3111eed..59aab9b55 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -24,6 +24,7 @@ our @EXPORT = qw(
WS_ERROR_CODE
ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ XMLRPC_CONTENT_TYPE_WHITELIST
WS_DISPATCH
);
@@ -172,6 +173,8 @@ use constant WS_ERROR_CODE => {
unknown_method => -32601,
json_rpc_post_only => 32610,
json_rpc_invalid_callback => 32611,
+ xmlrpc_illegal_content_type => 32612,
+ json_rpc_illegal_content_type => 32613,
};
# These are the fallback defaults for errors not in ERROR_CODE.
@@ -180,6 +183,11 @@ use constant ERROR_UNKNOWN_TRANSIENT => 32000;
use constant ERROR_GENERAL => 999;
+use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw(
+ text/xml
+ application/xml
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm
index 5c3677993..822709d85 100644
--- a/Bugzilla/WebService/Server/XMLRPC.pm
+++ b/Bugzilla/WebService/Server/XMLRPC.pm
@@ -86,10 +86,18 @@ use XMLRPC::Lite;
our @ISA = qw(XMLRPC::Deserializer);
use Bugzilla::Error;
+use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
use Scalar::Util qw(tainted);
sub deserialize {
my $self = shift;
+
+ # Only allow certain content types to protect against CSRF attacks
+ if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) {
+ ThrowUserError('xmlrpc_illegal_content_type',
+ { content_type => $ENV{'CONTENT_TYPE'} });
+ }
+
my ($xml) = @_;
my $som = $self->SUPER::deserialize(@_);
if (tainted($xml)) {
diff --git a/docs/en/xml/Bugzilla-Guide.xml b/docs/en/xml/Bugzilla-Guide.xml
index 741a09c2f..db33e8d57 100644
--- a/docs/en/xml/Bugzilla-Guide.xml
+++ b/docs/en/xml/Bugzilla-Guide.xml
@@ -32,12 +32,12 @@
For a devel release, simple bump bz-ver and bz-date
-->
-<!ENTITY bz-ver "4.2rc2">
-<!ENTITY bz-nextver "4.2">
-<!ENTITY bz-date "2012-01-31">
+<!ENTITY bz-ver "4.2">
+<!ENTITY bz-nextver "4.4">
+<!ENTITY bz-date "2012-02-22">
<!ENTITY current-year "2012">
-<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-tip/">
+<!ENTITY landfillbase "http://landfill.bugzilla.org/bugzilla-4.2-branch/">
<!ENTITY bz "http://www.bugzilla.org/">
<!ENTITY bzg-bugs "<ulink url='https://bugzilla.mozilla.org/enter_bug.cgi?product=Bugzilla&amp;component=Documentation'>Bugzilla Documentation</ulink>">
<!ENTITY mysql "http://www.mysql.com/">
@@ -74,7 +74,6 @@
<bookinfo>
<title>The Bugzilla Guide - &bz-ver;
- <!-- BZ-DEVEL -->Development <!-- /BZ-DEVEL -->
Release</title>
<authorgroup>
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index acdb11381..6d95850dd 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1738,6 +1738,11 @@
&lt;[% type FILTER html %]&gt; field. (See the XML-RPC specification
for details.)
+ [% ELSIF error == "xmlrpc_illegal_content_type" %]
+ When using XML-RPC, you cannot send data as
+ [%+ content_type FILTER html %]. Only text/xml
+ and application/xml are allowed.
+
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
The file you are trying to attach is empty, does not exist, or you don't
diff --git a/template/en/default/whine/mail.html.tmpl b/template/en/default/whine/mail.html.tmpl
index ae4f00cfc..a7bff5038 100644
--- a/template/en/default/whine/mail.html.tmpl
+++ b/template/en/default/whine/mail.html.tmpl
@@ -40,9 +40,9 @@
</head>
<body bgcolor="#FFFFFF">
- <p align="left">
+ <pre>
[% body FILTER html %]
- </p>
+ </pre>
<p align="left">
[% IF author.login == recipient.login %]