WS_ERROR_CODE
ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ XMLRPC_CONTENT_TYPE_WHITELIST
CONTENT_TYPE_BLACKLIST
unknown_method => -32601,
json_rpc_post_only => 32610,
json_rpc_invalid_callback => 32611,
+ xmlrpc_illegal_content_type => 32612,
+ json_rpc_illegal_content_type => 32613,
};
# These are the fallback defaults for errors not in ERROR_CODE.
multipart/form-data
);
+use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw(
+ text/xml
+ application/xml
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
our @ISA = qw(XMLRPC::Deserializer);
use Bugzilla::Error;
+use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST);
use Scalar::Util qw(tainted);
sub deserialize {
my $self = shift;
+
+ # Only allow certain content types to protect against CSRF attacks
+ if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) {
+ ThrowUserError('xmlrpc_illegal_content_type',
+ { content_type => $ENV{'CONTENT_TYPE'} });
+ }
+
my ($xml) = @_;
my $som = $self->SUPER::deserialize(@_);
if (tainted($xml)) {
<[% type FILTER html %]> field. (See the XML-RPC specification
for details.)
+ [% ELSIF error == "xmlrpc_illegal_content_type" %]
+ When using XML-RPC, you cannot send data as
+ [%+ content_type FILTER html %]. Only text/xml
+ and application/xml are allowed.
+
[% ELSIF error == "zero_length_file" %]
[% title = "File Is Empty" %]
The file you are trying to attach is empty, does not exist, or you don't
projects / thirdparty / bugzilla.git / commitdiff
