WS_ERROR_CODE
ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ XMLRPC_CONTENT_TYPE_WHITELIST
WS_DISPATCH
);
unknown_method => -32601,
json_rpc_post_only => 32610,
json_rpc_invalid_callback => 32611,
+ xmlrpc_illegal_content_type => 32612,
+ json_rpc_illegal_content_type => 32613,
};
# These are the fallback defaults for errors not in ERROR_CODE.
use constant ERROR_GENERAL => 999;
+use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw(
+ text/xml
+ application/xml
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
our @ISA = qw(XMLRPC::Deserializer);
use Bugzilla::Error;
+use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
use Scalar::Util qw(tainted);
sub deserialize {
my $self = shift;
+
+ # Only allow certain content types to protect against CSRF attacks
+ if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) {
+ ThrowUserError('xmlrpc_illegal_content_type',
+ { content_type => $ENV{'CONTENT_TYPE'} });
+ }
+
my ($xml) = @_;
my $som = $self->SUPER::deserialize(@_);
if (tainted($xml)) {
<[% type FILTER html %]> field. (See the XML-RPC specification
for details.)
+ [% ELSIF error == "xmlrpc_illegal_content_type" %]
+ When using XML-RPC, you cannot send data as
+ [%+ content_type FILTER html %]. Allowed content types
+ are [% constants.XMLRPC_CONTENT_TYPE_WHITELIST.join(', ') %].
+
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
The file you are trying to attach is empty, does not exist, or you don't
projects / thirdparty / bugzilla.git / commitdiff
