From 4180e54e7b2c2a147954425312bf1cd485b14d24 Mon Sep 17 00:00:00 2001 From: Dave Lawrence Date: Thu, 26 Sep 2013 11:10:35 -0400 Subject: Bug 917669 - invalid or expired authentication tokens and cookies should throw errors, not be silently ignored --- Bugzilla/Auth/Login/Cookie.pm | 21 +++++++++++++-------- Bugzilla/Template.pm | 5 +---- Bugzilla/Util.pm | 17 +++++++++++++++-- Bugzilla/WebService.pm | 7 +++++++ template/en/default/global/user-error.html.tmpl | 5 +++++ 5 files changed, 41 insertions(+), 14 deletions(-) diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm index 88c48e236..4f4ef80ab 100644 --- a/Bugzilla/Auth/Login/Cookie.pm +++ b/Bugzilla/Auth/Login/Cookie.pm @@ -21,6 +21,7 @@ use base qw(Bugzilla::Auth::Login); use Bugzilla::Constants; use Bugzilla::Util; +use Bugzilla::Error; use List::Util qw(first); @@ -80,7 +81,9 @@ sub get_login_info { AND (ipaddr = ? OR ipaddr IS NULL)', undef, ($login_cookie, $user_id, $ip_addr)); - # If the cookie is valid, return a valid username. + # If the cookie or token is valid, return a valid username. + # If they were not valid and we are using a webservice, then + # throw an error notifying the client. if ($is_valid) { # If we logged in successfully, then update the lastused # time on the login cookie @@ -88,12 +91,16 @@ sub get_login_info { WHERE cookie = ?", undef, $login_cookie); return { user_id => $user_id }; } + elsif (i_am_webservice()) { + ThrowUserError('invalid_cookies_or_token'); + } } - # Either the he cookie is invalid, or we got no cookie. We don't want - # to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to - # actually throw an error when it gets a bad cookie. It should just - # look like there was no cookie to begin with. + # Either the cookie or token is invalid and we are not authenticating + # via a webservice, or we did not receive a cookie or token. We don't + # want to ever return AUTH_LOGINFAILED, because we don't want Bugzilla to + # actually throw an error when it gets a bad cookie or token. It should just + # look like there was no cookie or token to begin with. return { failure => AUTH_NODATA }; } @@ -104,9 +111,7 @@ sub login_token { return $self->{'_login_token'} if exists $self->{'_login_token'}; - if ($usage_mode ne USAGE_MODE_XMLRPC - && $usage_mode ne USAGE_MODE_JSON - && $usage_mode ne USAGE_MODE_REST) { + if (!i_am_webservice()) { return $self->{'_login_token'} = undef; } diff --git a/Bugzilla/Template.pm b/Bugzilla/Template.pm index 434e49da5..81202965c 100644 --- a/Bugzilla/Template.pm +++ b/Bugzilla/Template.pm @@ -824,10 +824,7 @@ sub create { # (Wrapping the message in the WebService is unnecessary # and causes awkward things like \n's appearing in error # messages in JSON-RPC.) - unless (Bugzilla->usage_mode == USAGE_MODE_JSON - or Bugzilla->usage_mode == USAGE_MODE_XMLRPC - or Bugzilla->usage_mode == USAGE_MODE_REST) - { + unless (i_am_webservice()) { $var = wrap_comment($var, 72); } $var =~ s/\ / /g; diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 96dad8327..51bfdb1d3 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -36,8 +36,8 @@ use base qw(Exporter); detaint_signed html_quote url_quote xml_quote css_class_quote html_light_quote - i_am_cgi correct_urlbase remote_ip validate_ip - do_ssl_redirect_if_required use_attachbase + i_am_cgi i_am_webservice correct_urlbase remote_ip + validate_ip do_ssl_redirect_if_required use_attachbase diff_arrays on_main_db trim wrap_hard wrap_comment find_wrap_point format_time validate_date validate_time datetime_from @@ -259,6 +259,13 @@ sub i_am_cgi { return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0; } +sub i_am_webservice { + my $usage_mode = Bugzilla->usage_mode; + return $usage_mode == USAGE_MODE_XMLRPC + || $usage_mode == USAGE_MODE_JSON + || $usage_mode == USAGE_MODE_REST; +} + # This exists as a separate function from Bugzilla::CGI::redirect_to_https # because we don't want to create a CGI object during XML-RPC calls # (doing so can mess up XML-RPC). @@ -849,6 +856,7 @@ Bugzilla::Util - Generic utility functions for bugzilla # Functions that tell you about your environment my $is_cgi = i_am_cgi(); + my $is_webservice = i_am_webservice(); my $urlbase = correct_urlbase(); # Data manipulation @@ -978,6 +986,11 @@ Tells you whether or not you are being run as a CGI script in a web server. For example, it would return false if the caller is running in a command-line script. +=item C + +Tells you whether or not the current usage mode is WebServices related +such as JSONRPC, XMLRPC, or REST. + =item C Returns either the C or C parameter, depending on the diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 8f97a3a2f..a53c45261 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -188,6 +188,13 @@ For REST, you may also use the C and C variable names instead of C and C as a convenience. +=item B + +An error is now thrown if you pass invalid cookies or an invalid token. +You will need to log in again to get new cookies or a new token. Previous +releases simply ignored invalid cookies and token support was added in +Bugzilla B<5.0>. + =back =head1 STABLE, EXPERIMENTAL, and UNSTABLE diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index e85ecaada..0bd3dd15e 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1030,6 +1030,11 @@ [%+ constants.LOGIN_LOCKOUT_INTERVAL FILTER html %] minutes. [% END %] + [% ELSIF error == "invalid_cookies_or_token" %] + [% title = "Invalid Cookies or Token" %] + The cookies or token provide were not valid or have expired. + You may login again to get new cookies or a new token. + [% ELSIF error == "json_rpc_get_method_required" %] When using JSON-RPC over GET, you must specify a 'method' parameter. See the documentation at -- cgit v1.2.3-24-g4f1b