ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ CONTENT_TYPE_BLACKLIST
+
WS_DISPATCH
);
use constant ERROR_GENERAL => 999;
+# Blacklist content types which can lead to CSRF when using POST with JSON-RPC.
+# The default content type for JSON-RPC is application/json.
+use constant CONTENT_TYPE_BLACKLIST => qw(
+ text/plain
+ application/x-www-form-urlencoded
+ multipart/form-data
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
{ method => $self->_bz_method_name });
}
}
+ else {
+ # CSRF is also possible when using |Content-Type: text/plain| with POST.
+ # There are some other content types which must also be banned for
+ # security reasons.
+ my $content_type = $self->cgi->content_type;
+ # The charset can be appended to the content type, so we use a regexp.
+ if (grep { $content_type =~ m{\Q$_\E}i } CONTENT_TYPE_BLACKLIST) {
+ ThrowUserError('json_rpc_illegal_content_type',
+ { content_type => $content_type });
+ }
+ }
# This is the best time to do login checks.
$self->handle_login();
parameter. See the documentation at
[%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html
+ [% ELSIF error == "json_rpc_illegal_content_type" %]
+ When using JSON-RPC over POST, you cannot use [% content_type FILTER html %]
+ as content type. The recommended content type is application/json.
+
[% ELSIF error == "json_rpc_invalid_params" %]
Could not parse the 'params' argument as valid JSON.
Error: [% err_msg FILTER html %]
projects / thirdparty / bugzilla.git / commitdiff
