Bug 793826: Prevent private web service methods from being called

author Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>

Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)

committer Frédéric Buclin <LpSolit@gmail.com>

Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)
author Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>
Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)
committer Frédéric Buclin <LpSolit@gmail.com>
Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)
diff --git a/Bugzilla/WebService/Server.pm b/Bugzilla/WebService/Server.pm

index a43ed204c9ac728911cd1902d262a027cb85f128..15bc4bcca3c4e69ff7b86d594c8bc4fade5d69ec 100644 (file)
--- a/Bugzilla/WebService/Server.pm
+++ b/Bugzilla/WebService/Server.pm
@@ -15,7 +15,9 @@ use Scalar::Util qw(blessed);
  
  sub handle_login {
      my ($self, $class, $method, $full_method) = @_;
-    ThrowCodeError('unknown_method', {method => $full_method}) if !$class;
+    # Throw error if the supplied class does not exist or the method is private
+    ThrowCodeError('unknown_method', {method => $full_method}) if (!$class or $method =~ /^_/);
+
      eval "require $class";
      ThrowCodeError('unknown_method', {method => $full_method}) if $@;
      return if ($class->login_exempt($method)
author	Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>
	Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Fri, 12 Oct 2012 17:50:00 +0000 (19:50 +0200)