Commit d141a53e authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks…

Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required) r=mkanat a=LpSolit
parent 4e10a0b8
...@@ -351,7 +351,19 @@ sub _argument_type_check { ...@@ -351,7 +351,19 @@ sub _argument_type_check {
Bugzilla->input_params($params); Bugzilla->input_params($params);
if ($self->request->method ne 'POST') { if ($self->request->method eq 'POST') {
# CSRF is possible via XMLHttpRequest when the Content-Type header
# is not application/json (for example: text/plain or
# application/x-www-form-urlencoded).
# application/json is the single official MIME type, per RFC 4627.
my $content_type = $self->cgi->content_type;
# The charset can be appended to the content type, so we use a regexp.
if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) {
ThrowUserError('json_rpc_illegal_content_type',
{ content_type => $content_type });
}
}
else {
# When being called using GET, we don't allow calling # When being called using GET, we don't allow calling
# methods that can change data. This protects us against cross-site # methods that can change data. This protects us against cross-site
# request forgeries. # request forgeries.
......
...@@ -1007,6 +1007,11 @@ ...@@ -1007,6 +1007,11 @@
parameter. See the documentation at parameter. See the documentation at
[%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html [%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html
[% ELSIF error == "json_rpc_illegal_content_type" %]
When using JSON-RPC over POST, you cannot send data as
[%+ content_type FILTER html %]. Only application/json and
application/json-rpc are allowed.
[% ELSIF error == "json_rpc_invalid_params" %] [% ELSIF error == "json_rpc_invalid_params" %]
Could not parse the 'params' argument as valid JSON. Could not parse the 'params' argument as valid JSON.
Error: [% err_msg FILTER html %] Error: [% err_msg FILTER html %]
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment