From 5bb84b3c6efc503652a14e59efbe2b7c548608dd Mon Sep 17 00:00:00 2001 From: Max Kanat-Alexander Date: Thu, 22 Apr 2010 11:52:45 -0700 Subject: Bug 550732: Allow read-only JSON-RPC methods to be called with GET r=dkl, a=mkanat --- Bugzilla/WebService/Server/JSONRPC.pm | 177 +++++++++++++++++++++++++++++----- 1 file changed, 154 insertions(+), 23 deletions(-) (limited to 'Bugzilla/WebService/Server/JSONRPC.pm') diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3ec64c6bc..ae479ff5e 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -28,6 +28,12 @@ use Bugzilla::Error; use Bugzilla::WebService::Constants; use Bugzilla::WebService::Util qw(taint_data); +use Bugzilla::Util qw(correct_urlbase); + +##################################### +# Public JSON::RPC Method Overrides # +##################################### + sub new { my $class = shift; my $self = $class->SUPER::new(@_); @@ -71,6 +77,81 @@ sub response { print $response->content; } +# The JSON-RPC 1.1 GET specification is not so great--you can't specify +# data structures as parameters. However, the JSON-RPC 2.0 "JSON-RPC over +# HTTP" spec is excellent, so we are using that for GET requests, instead. +# Spec: http://groups.google.com/group/json-rpc/web/json-rpc-over-http +# +# The one exception is that we don't require the "params" argument to be +# Base64 encoded, because that is ridiculous and obnoxious for JavaScript +# clients. +sub retrieve_json_from_get { + my $self = shift; + my $cgi = $self->cgi; + + my %input; + + # Both version and id must be set before any errors are thrown. + if ($cgi->param('version')) { + $self->version(scalar $cgi->param('version')); + $input{version} = $cgi->param('version'); + } + else { + $self->version('1.0'); + } + + # The JSON-RPC 2.0 spec says that any request that omits an id doesn't + # want a response. However, in an HTTP GET situation, it's stupid to + # expect all clients to specify some id parameter just to get a response, + # so we don't require it. + my $id; + if (defined $cgi->param('id')) { + $id = $cgi->param('id'); + } + # However, JSON::RPC does require that an id exist in most cases, in + # order to throw proper errors. We use the installation's urlbase as + # the id, in this case. + else { + $id = correct_urlbase(); + } + # Setting _bz_request_id here is required in case we throw errors early, + # before _handle. + $self->{_bz_request_id} = $input{id} = $id; + + if (!$cgi->param('method')) { + ThrowUserError('json_rpc_get_method_required'); + } + $input{method} = $cgi->param('method'); + + my $params; + if (defined $cgi->param('params')) { + local $@; + $params = eval { + $self->json->decode(scalar $cgi->param('params')) + }; + if ($@) { + ThrowUserError('json_rpc_invalid_params', + { params => scalar $cgi->param('params'), + err_msg => $@ }); + } + } + elsif (!$self->version or $self->version ne '1.1') { + $params = []; + } + else { + $params = {}; + } + + $input{params} = $params; + + my $json = $self->json->encode(\%input); + return $json; +} + +####################################### +# Bugzilla::WebService Implementation # +####################################### + sub type { my ($self, $type, $value) = @_; @@ -108,6 +189,35 @@ sub datetime_format_outbound { return $self->SUPER::datetime_format_outbound(@_) . 'Z'; } +sub handle_login { + my $self = shift; + + # If we're being called using GET, we don't allow cookie-based or Env + # login, because GET requests can be done cross-domain, and we don't + # want private data showing up on another site unless the user + # explicitly gives that site their username and password. (This is + # particularly important for JSONP, which would allow a remote site + # to use private data without the user's knowledge, unless we had this + # protection in place.) + if ($self->request->method ne 'POST') { + # XXX There's no particularly good way for us to get a parameter + # to Bugzilla->login at this point, so we pass this information + # around using request_cache, which is a bit of a hack. The + # implementation of it is in Bugzilla::Auth::Login::Stack. + Bugzilla->request_cache->{auth_no_automatic_login} = 1; + } + + my $path = $self->path_info; + my $class = $self->{dispatch_path}->{$path}; + my $full_method = $self->_bz_method_name; + $full_method =~ /^\S+\.(\S+)/; + my $method = $1; + $self->SUPER::handle_login($class, $method, $full_method); +} + +###################################### +# Private JSON::RPC Method Overrides # +###################################### # Store the ID of the current call, because Bugzilla::Error will need it. sub _handle { @@ -154,21 +264,11 @@ sub _error { return $json; } -################## -# Login Handling # -################## - # This handles dispatching our calls to the appropriate class based on # the name of the method. sub _find_procedure { my $self = shift; - # This is also a good place to deny GET requests, since we can - # safely call ThrowUserError at this point. - if ($self->request->method ne 'POST') { - ThrowUserError('json_rpc_post_only'); - } - my $method = shift; $self->{_bz_method_name} = $method; @@ -217,6 +317,16 @@ sub _argument_type_check { Bugzilla->input_params($params); + if ($self->request->method ne 'POST') { + # When being called using GET, we don't allow calling + # methods that can change data. This protects us against cross-site + # request forgeries. + if (!grep($_ eq $method, $pkg->READ_ONLY)) { + ThrowUserError('json_rpc_post_only', + { method => $self->_bz_method_name }); + } + } + # This is the best time to do login checks. $self->handle_login(); @@ -235,17 +345,6 @@ sub _argument_type_check { return $params; } -sub handle_login { - my $self = shift; - - my $path = $self->path_info; - my $class = $self->{dispatch_path}->{$path}; - my $full_method = $self->_bz_method_name; - $full_method =~ /^\S+\.(\S+)/; - my $method = $1; - $self->SUPER::handle_login($class, $method, $full_method); -} - # _bz_method_name is stored by _find_procedure for later use. sub _bz_method_name { return $_[0]->{_bz_method_name}; @@ -285,8 +384,40 @@ your Bugzilla installation. For example, if your Bugzilla is at C, then your JSON-RPC client would access the API via: C -Bugzilla only allows JSON-RPC requests over C. C requests -(or any other type of request, such as C) will be denied. +=head2 Connecting via GET + +The most powerful way to access the JSON-RPC interface is by HTTP POST. +However, for convenience, you can also access certain methods by using GET +(a normal webpage load). Methods that modify the database or cause some +action to happen in Bugzilla cannot be called over GET. Only methods that +simply return data can be used over GET. + +For security reasons, when you connect over GET, cookie authentication +is not accepted. If you want to authenticate using GET, you have to +use the C and C method described at +L. + +To connect over GET, simply send the values that you'd normally send for +each JSON-RPC argument as URL parameters, with the C item being +a JSON string. + +The simplest example is a call to C: + + jsonrpc.cgi?method=Bugzilla.time + +Here's a call to C, with several parameters: + + jsonrpc.cgi?method=User.get¶ms=[ { "ids": [1,2], "names": ["user@domain.com"] } ] + +Although in reality you would url-encode the C argument, so it would +look more like this: + + jsonrpc.cgi?method=User.get¶ms=%5B+%7B+%22ids%22%3A+%5B1%2C2%5D%2C+%22names%22%3A+%5B%22user%40domain.com%22%5D+%7D+%5D + +You can also specify C as a URL parameter, if you want to specify +what version of the JSON-RPC protocol you're using, and C as a URL +parameter if you want there to be a specific C value in the returned +JSON-RPC response. =head1 PARAMETERS -- cgit v1.2.3-24-g4f1b