Bug 1141440: OPTION response for CORS requests to REST doesn't allow X-Bugzilla headers

r=glob,a=glob

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index cf26665514d24a50e315b7c7654eb90bc1ee1fdb..42aa600ee40a4cce81ff4366c7c6f035b4089a57 100644 (file)
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -33,6 +33,8 @@ our @EXPORT = qw(
     REST_CONTENT_TYPE_WHITELIST
 
     WS_DISPATCH
+
+    API_AUTH_HEADERS
 );
 
 # This maps the error names in global/*-error.html.tmpl to numbers.
@@ -313,6 +315,16 @@ sub WS_DISPATCH {
     return $dispatch;
 };
 
+# Custom HTTP headers that can be used for API authentication rather than
+# passing as URL parameters. This is useful if you do not want sensitive
+# information to show up in webserver log files.
+use constant API_AUTH_HEADERS => {
+    X_BUGZILLA_LOGIN    => 'Bugzilla_login',
+    X_BUGZILLA_PASSWORD => 'Bugzilla_password',
+    X_BUGZILLA_API_KEY  => 'Bugzilla_api_key',
+    X_BUGZILLA_TOKEN    => 'Bugzilla_token',
+};
+
 1;
 
 =head1 B<Methods in need of POD>

diff --git a/Bugzilla/WebService/Server/REST.pm b/Bugzilla/WebService/Server/REST.pm
index d02ba5523a1fdd6eca49cea1986924e42e1279eb..9c9141c09fa0701d2ed3bc463f1fe5380dde9103 100644 (file)
--- a/Bugzilla/WebService/Server/REST.pm
+++ b/Bugzilla/WebService/Server/REST.pm
@@ -134,8 +134,10 @@ sub response {
         { rpc => $self, result => \$result, response => $response });
 
     # Access Control
+    my @allowed_headers = (qw(accept content-type origin x-requested-with),
+        map { tr/A-Z_/a-z\-/r } keys API_AUTH_HEADERS());
     $response->header("Access-Control-Allow-Origin", "*");
-    $response->header("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with");
+    $response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers));
 
     # ETag support
     my $etag = $self->bz_etag;

diff --git a/Bugzilla/WebService/Util.pm b/Bugzilla/WebService/Util.pm
index 4eae66bd3715673f797731cb34e75c63be219d22..cbbc47921ad4e726b647f6c872687b7c70127a1f 100644 (file)
--- a/Bugzilla/WebService/Util.pm
+++ b/Bugzilla/WebService/Util.pm
@@ -14,6 +14,7 @@ use warnings;
 use Bugzilla::Flag;
 use Bugzilla::FlagType;
 use Bugzilla::Error;
+use Bugzilla::WebService::Constants;
 
 use Storable qw(dclone);
 use URI::Escape qw(uri_unescape);
@@ -261,22 +262,15 @@ sub params_to_objects {
     return \@objects;
 }
 
-use constant X_HEADERS => {
-    X_BUGZILLA_LOGIN    => 'Bugzilla_login',
-    X_BUGZILLA_PASSWORD => 'Bugzilla_password',
-    X_BUGZILLA_API_KEY  => 'Bugzilla_api_key',
-    X_BUGZILLA_TOKEN    => 'Bugzilla_token',
-};
-
 sub fix_credentials {
     my ($params, $cgi) = @_;
 
     # Allow user to pass in authentication details in X-Headers
     # This allows callers to keep credentials out of GET request query-strings
     if ($cgi) {
-        foreach my $field (keys %{ X_HEADERS() }) {
-            next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) // '' eq '';
-            $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field));
+        foreach my $field (keys %{ API_AUTH_HEADERS() }) {
+            next if exists $params->{API_AUTH_HEADERS->{$field}} || ($cgi->http($field) // '') eq '';
+            $params->{API_AUTH_HEADERS->{$field}} = uri_unescape($cgi->http($field));
         }
     }