Bug 793826: Prevent private web service methods from being called

author Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>

Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)

committer Frédéric Buclin <LpSolit@gmail.com>

Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)
author Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>
Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)
committer Frédéric Buclin <LpSolit@gmail.com>
Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)
diff --git a/Bugzilla/WebService/Server.pm b/Bugzilla/WebService/Server.pm

index feb80e9d025f15a39ea50cc1066945dfe671532c..206f0c657ddd60cb4639d39ece47ff632686029e 100644 (file)
--- a/Bugzilla/WebService/Server.pm
+++ b/Bugzilla/WebService/Server.pm
@@ -25,7 +25,9 @@ use Scalar::Util qw(blessed);
  
  sub handle_login {
      my ($self, $class, $method, $full_method) = @_;
-    ThrowCodeError('unknown_method', {method => $full_method}) if !$class;
+    # Throw error if the supplied class does not exist or the method is private
+    ThrowCodeError('unknown_method', {method => $full_method}) if (!$class or $method =~ /^_/);
+
      eval "require $class";
      ThrowCodeError('unknown_method', {method => $full_method}) if $@;
      return if ($class->login_exempt($method)
author	Koosha Khajeh Moogahi <koosha.khajeh@gmail.com>
	Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)
committer	Frédéric Buclin <LpSolit@gmail.com>
	Fri, 12 Oct 2012 17:51:50 +0000 (19:51 +0200)