summaryrefslogtreecommitdiffstats
path: root/Bugzilla
diff options
context:
space:
mode:
Diffstat (limited to 'Bugzilla')
-rw-r--r--Bugzilla/FlagType.pm2
-rw-r--r--Bugzilla/Util.pm2
-rw-r--r--Bugzilla/WebService/Product.pm46
-rw-r--r--Bugzilla/WebService/Server/JSONRPC.pm14
4 files changed, 44 insertions, 20 deletions
diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm
index b17e2771e..9541d9340 100644
--- a/Bugzilla/FlagType.pm
+++ b/Bugzilla/FlagType.pm
@@ -310,7 +310,7 @@ sub _check_cc_list {
# - do not contain any illegal character.
foreach my $address (@addresses) {
($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/
- && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/)
+ && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/)
|| ThrowUserError('illegal_email_address',
{addr => $address, default => 1});
}
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm
index 4c268552b..6d8622e04 100644
--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -565,7 +565,7 @@ sub generate_random_password {
sub validate_email_syntax {
my ($addr) = @_;
my $match = Bugzilla->params->{'emailregexp'};
- my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/);
+ my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/);
if ($ret) {
# We assume these checks to suffice to consider the address untainted.
trick_taint($_[0]);
diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm
index 3414be4fd..3cd0d0a6c 100644
--- a/Bugzilla/WebService/Product.pm
+++ b/Bugzilla/WebService/Product.pm
@@ -34,6 +34,11 @@ use constant READ_ONLY => qw(
get_selectable_products
);
+use constant FIELD_MAP => {
+ has_unconfirmed => 'allows_unconfirmed',
+ is_open => 'isactive',
+};
+
##################################################
# Add aliases here for method name compatibility #
##################################################
@@ -105,16 +110,22 @@ sub create {
action => "add",
object => "products"});
# Create product
- my $product = Bugzilla::Product->create({
- allows_unconfirmed => $params->{has_unconfirmed},
- classification => $params->{classification},
- name => $params->{name},
- description => $params->{description},
- version => $params->{version},
- defaultmilestone => $params->{default_milestone},
- isactive => $params->{is_open},
- create_series => $params->{create_series}
- });
+ my $args = {
+ name => $params->{name},
+ description => $params->{description},
+ version => $params->{version},
+ defaultmilestone => $params->{default_milestone},
+ # create_series has no default value.
+ create_series => defined $params->{create_series} ?
+ $params->{create_series} : 1
+ };
+ foreach my $field (qw(has_unconfirmed is_open classification)) {
+ if (defined $params->{$field}) {
+ my $name = FIELD_MAP->{$field} || $field;
+ $args->{$name} = $params->{$field};
+ }
+ }
+ my $product = Bugzilla::Product->create($args);
return { id => $self->type('int', $product->id) };
}
@@ -460,6 +471,7 @@ B<Required> C<string> The default version for this product.
=item C<has_unconfirmed>
C<boolean> Allow the UNCONFIRMED status to be set on bugs in this product.
+Default: true.
=item C<classification>
@@ -467,17 +479,17 @@ C<string> The name of the Classification which contains this product.
=item C<default_milestone>
-C<string> The default milestone for this product.
+C<string> The default milestone for this product. Default: '---'.
=item C<is_open>
C<boolean> True if the product is currently allowing bugs to be entered
-into it.
+into it. Default: true.
=item C<create_series>
C<boolean> True if you want series for New Charts to be created for this
-new product.
+new product. Default: true.
=back
@@ -489,6 +501,10 @@ A hash with one element, id. This is the id of the newly-filed product.
=over
+=item 51 (Classification does not exist)
+
+You must specify an existing classification name.
+
=item 700 (Product blank name)
You must specify a non-blank name for this product.
@@ -511,10 +527,6 @@ You must specify a description for this product.
You must specify a version for this product.
-=item 705 (Product must define a defaut milestone)
-
-You must define a default milestone.
-
=back
=back
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 3b232aafa..cec1c29ea 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -365,7 +365,19 @@ sub _argument_type_check {
Bugzilla->input_params($params);
- if ($self->request->method ne 'POST') {
+ if ($self->request->method eq 'POST') {
+ # CSRF is possible via XMLHttpRequest when the Content-Type header
+ # is not application/json (for example: text/plain or
+ # application/x-www-form-urlencoded).
+ # application/json is the single official MIME type, per RFC 4627.
+ my $content_type = $self->cgi->content_type;
+ # The charset can be appended to the content type, so we use a regexp.
+ if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) {
+ ThrowUserError('json_rpc_illegal_content_type',
+ { content_type => $content_type });
+ }
+ }
+ else {
# When being called using GET, we don't allow calling
# methods that can change data. This protects us against cross-site
# request forgeries.