From 907acd417423fe4550d31afe0b16ee15b2ebad18 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 31 Jan 2012 13:04:49 +0100 Subject: Bug 714446: Product.create default behavior is broken and inconsistent with POD r=dkl a=LpSolit --- Bugzilla/WebService/Product.pm | 46 ++++++++++++++++++++++++++---------------- 1 file changed, 29 insertions(+), 17 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/WebService/Product.pm b/Bugzilla/WebService/Product.pm index 3414be4fd..3cd0d0a6c 100644 --- a/Bugzilla/WebService/Product.pm +++ b/Bugzilla/WebService/Product.pm @@ -34,6 +34,11 @@ use constant READ_ONLY => qw( get_selectable_products ); +use constant FIELD_MAP => { + has_unconfirmed => 'allows_unconfirmed', + is_open => 'isactive', +}; + ################################################## # Add aliases here for method name compatibility # ################################################## @@ -105,16 +110,22 @@ sub create { action => "add", object => "products"}); # Create product - my $product = Bugzilla::Product->create({ - allows_unconfirmed => $params->{has_unconfirmed}, - classification => $params->{classification}, - name => $params->{name}, - description => $params->{description}, - version => $params->{version}, - defaultmilestone => $params->{default_milestone}, - isactive => $params->{is_open}, - create_series => $params->{create_series} - }); + my $args = { + name => $params->{name}, + description => $params->{description}, + version => $params->{version}, + defaultmilestone => $params->{default_milestone}, + # create_series has no default value. + create_series => defined $params->{create_series} ? + $params->{create_series} : 1 + }; + foreach my $field (qw(has_unconfirmed is_open classification)) { + if (defined $params->{$field}) { + my $name = FIELD_MAP->{$field} || $field; + $args->{$name} = $params->{$field}; + } + } + my $product = Bugzilla::Product->create($args); return { id => $self->type('int', $product->id) }; } @@ -460,6 +471,7 @@ B C The default version for this product. =item C C Allow the UNCONFIRMED status to be set on bugs in this product. +Default: true. =item C @@ -467,17 +479,17 @@ C The name of the Classification which contains this product. =item C -C The default milestone for this product. +C The default milestone for this product. Default: '---'. =item C C True if the product is currently allowing bugs to be entered -into it. +into it. Default: true. =item C C True if you want series for New Charts to be created for this -new product. +new product. Default: true. =back @@ -489,6 +501,10 @@ A hash with one element, id. This is the id of the newly-filed product. =over +=item 51 (Classification does not exist) + +You must specify an existing classification name. + =item 700 (Product blank name) You must specify a non-blank name for this product. @@ -511,10 +527,6 @@ You must specify a description for this product. You must specify a version for this product. -=item 705 (Product must define a defaut milestone) - -You must define a default milestone. - =back =back -- cgit v1.2.3-24-g4f1b From 6c81a8674ac77562584d5033561f8b4d947f23bb Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 31 Jan 2012 16:39:50 +0100 Subject: Bug 714472: (CVE-2012-0448) [SECURITY] utf8 homoglyphs are allowed in email addresses, which could allow an attacker to be CC'ed to private bugs by accident r=glob a=LpSolit --- Bugzilla/FlagType.pm | 2 +- Bugzilla/Util.pm | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) (limited to 'Bugzilla') diff --git a/Bugzilla/FlagType.pm b/Bugzilla/FlagType.pm index ea81dfe46..b30065a1c 100644 --- a/Bugzilla/FlagType.pm +++ b/Bugzilla/FlagType.pm @@ -310,7 +310,7 @@ sub _check_cc_list { # - do not contain any illegal character. foreach my $address (@addresses) { ($address =~ /^[\w\.\+\-=]+@[\w\.\-]+\.[\w\-]+$/ - && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/) + && $address !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/) || ThrowUserError('illegal_email_address', {addr => $address, default => 1}); } diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index 4c268552b..6d8622e04 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -565,7 +565,7 @@ sub generate_random_password { sub validate_email_syntax { my ($addr) = @_; my $match = Bugzilla->params->{'emailregexp'}; - my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n]/); + my $ret = ($addr =~ /$match/ && $addr !~ /[\\\(\)<>&,;:"\[\] \t\r\n\P{ASCII}]/); if ($ret) { # We assume these checks to suffice to consider the address untainted. trick_taint($_[0]); -- cgit v1.2.3-24-g4f1b From 0b14241a7c307a2619cb67cee42086b30fa03795 Mon Sep 17 00:00:00 2001 From: Frédéric Buclin Date: Tue, 31 Jan 2012 17:01:20 +0100 Subject: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required) r=mkanat a=LpSolit https://bugzilla.mozilla.org/show_bug.cgi?id=718319 --- Bugzilla/WebService/Server/JSONRPC.pm | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) (limited to 'Bugzilla') diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm index 3b232aafa..cec1c29ea 100644 --- a/Bugzilla/WebService/Server/JSONRPC.pm +++ b/Bugzilla/WebService/Server/JSONRPC.pm @@ -365,7 +365,19 @@ sub _argument_type_check { Bugzilla->input_params($params); - if ($self->request->method ne 'POST') { + if ($self->request->method eq 'POST') { + # CSRF is possible via XMLHttpRequest when the Content-Type header + # is not application/json (for example: text/plain or + # application/x-www-form-urlencoded). + # application/json is the single official MIME type, per RFC 4627. + my $content_type = $self->cgi->content_type; + # The charset can be appended to the content type, so we use a regexp. + if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) { + ThrowUserError('json_rpc_illegal_content_type', + { content_type => $content_type }); + } + } + else { # When being called using GET, we don't allow calling # methods that can change data. This protects us against cross-site # request forgeries. -- cgit v1.2.3-24-g4f1b