diff options
| -rw-r--r-- | Bugzilla/FlagType.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/Util.pm | 2 | ||||
| -rw-r--r-- | Bugzilla/WebService/Product.pm | 46 | ||||
| -rw-r--r-- | Bugzilla/WebService/Server/JSONRPC.pm | 14 | ||||
| -rw-r--r-- | template/en/default/global/code-error.html.tmpl | 3 | ||||
| -rw-r--r-- | template/en/default/global/user-error.html.tmpl | 10 |
6 files changed, 52 insertions, 25 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index b17e2771e..9541d9340 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -310,7 +310,7 @@ sub _check_cc_list { # - do not contain any illegal character. foreach my $address (@addresses) { ($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/ - && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) + && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/) || ThrowUserError('illegal_email_address', {addr => $address, default => 1}); } diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 4c268552b..6d8622e04 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -565,7 +565,7 @@ sub generate_random_password { sub validate_email_syntax { my ($addr) = @_; my $match = Bugzilla->params->{'emailregexp'}; - my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); + my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/); if ($ret) { # We assume these checks to suffice to consider the address untainted. trick_taint($_[0]); diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 3414be4fd..3cd0d0a6c 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -34,6 +34,11 @@ use constant READ_ONLY => qw( get_selectable_products ); +use constant FIELD_MAP => { + has_unconfirmed => 'allows_unconfirmed', + is_open => 'isactive', +}; + ################################################## # Add aliases here for method name compatibility # ################################################## @@ -105,16 +110,22 @@ sub create { action => "add", object => "products"}); # Create product - my $product = Bugzilla::Product->create({ - allows_unconfirmed => $params->{has_unconfirmed}, - classification => $params->{classification}, - name => $params->{name}, - description => $params->{description}, - version => $params->{version}, - defaultmilestone => $params->{default_milestone}, - isactive => $params->{is_open}, - create_series => $params->{create_series} - }); + my $args = { + name => $params->{name}, + description => $params->{description}, + version => $params->{version}, + defaultmilestone => $params->{default_milestone}, + # create_series has no default value. + create_series => defined $params->{create_series} ? + $params->{create_series} : 1 + }; + foreach my $field (qw(has_unconfirmed is_open classification)) { + if (defined $params->{$field}) { + my $name = FIELD_MAP->{$field} || $field; + $args->{$name} = $params->{$field}; + } + } + my $product = Bugzilla::Product->create($args); return { id => $self->type('int', $product->id) }; } @@ -460,6 +471,7 @@ B<Required> C<string> The default version for this product. =item C<has_unconfirmed> C<boolean> Allow the UNCONFIRMED status to be set on bugs in this product. +Default: true. =item C<classification> @@ -467,17 +479,17 @@ C<string> The name of the Classification which contains this product. =item C<default_milestone> -C<string> The default milestone for this product. +C<string> The default milestone for this product. Default: '---'. =item C<is_open> C<boolean> True if the product is currently allowing bugs to be entered -into it. +into it. Default: true. =item C<create_series> C<boolean> True if you want series for New Charts to be created for this -new product. +new product. Default: true. =back @@ -489,6 +501,10 @@ A hash with one element, id. This is the id of the newly-filed product. =over +=item 51 (Classification does not exist) + +You must specify an existing classification name. + =item 700 (Product blank name) You must specify a non-blank name for this product. @@ -511,10 +527,6 @@ You must specify a description for this product. You must specify a version for this product. -=item 705 (Product must define a defaut milestone) - -You must define a default milestone. - =back =back diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3b232aafa..cec1c29ea 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -365,7 +365,19 @@ sub _argument_type_check { Bugzilla->input_params($params); - if ($self->request->method ne 'POST') { + if ($self->request->method eq 'POST') { + # CSRF is possible via XMLHttpRequest when the Content-Type header + # is not application/json (for example: text/plain or + # application/x-www-form-urlencoded). + # application/json is the single official MIME type, per RFC 4627. + my $content_type = $self->cgi->content_type; + # The charset can be appended to the content type, so we use a regexp. + if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) { + ThrowUserError('json_rpc_illegal_content_type', + { content_type => $content_type }); + } + } + else { # When being called using GET, we don't allow calling # methods that can change data. This protects us against cross-site # request forgeries. diff --git a/template/en/default/global/code-error.html.tmpl b/template/en/default/global/code-error.html.tmpl index 5dce16976..f100df994 100644 --- a/template/en/default/global/code-error.html.tmpl +++ b/template/en/default/global/code-error.html.tmpl @@ -48,8 +48,7 @@ [% ELSE %] [%+ Param('emailregexpdesc') FILTER html_light %] [% END %] - It must also not contain any of these special characters: - <tt>\ ( ) & < > , ; : " [ ]</tt>, or any whitespace. + It also must not contain any illegal characters. [% ELSIF error == "authres_unhandled" %] The result value of [% value FILTER html %] was not handled by diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 6521150bc..6a37d07e2 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -851,9 +851,8 @@ [% ELSE %] [%+ Param('emailregexpdesc') FILTER html_light %] [% END %] - It must also not contain any of these special characters: - <tt>\ ( ) & < > , ; : " [ ]</tt>, or any whitespace. - + It also must not contain any illegal characters. + [% ELSIF error == "illegal_frequency" %] [% title = "Too Frequent" %] Unless you are an administrator, you may not create series which are @@ -1019,6 +1018,11 @@ parameter. See the documentation at [%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html + [% ELSIF error == "json_rpc_illegal_content_type" %] + When using JSON-RPC over POST, you cannot send data as + [%+ content_type FILTER html %]. Only application/json and + application/json-rpc are allowed. + [% ELSIF error == "json_rpc_invalid_params" %] Could not parse the 'params' argument as valid JSON. Error: [% err_msg FILTER html %] |