From 16122921b2f68b490a61cd80ae9ea5ee661ae11b Mon Sep 17 00:00:00 2001
From: David Lawrence <dkl@mozilla.com>
Date: Wed, 21 Jan 2015 20:37:49 +0000
Subject: Bug 1090275: WebServices modules should maintain a whitelist of
 methods that are allowed instead of allowing access to any function imported
 into its namespace r=dylan,a=glob

---
 Bugzilla/WebService/Server/JSONRPC.pm | 6 ++++++
 1 file changed, 6 insertions(+)

(limited to 'Bugzilla/WebService/Server/JSONRPC.pm')

diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 6cda47480..0b2995a66 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -31,6 +31,7 @@ use Bugzilla::Util;
 
 use HTTP::Message;
 use MIME::Base64 qw(decode_base64 encode_base64);
+use List::MoreUtils qw(none);
 
 #####################################
 # Public JSON::RPC Method Overrides #
@@ -404,6 +405,11 @@ sub _argument_type_check {
         }
     }
 
+    # Only allowed methods to be used from our whitelist
+    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
+        ThrowUserError('unknown_method', { method => $self->bz_method_name });
+    }
+
     # This is the best time to do login checks.
     $self->handle_login();
 
-- 
cgit v1.2.3-24-g4f1b