ERROR_UNKNOWN_FATAL
ERROR_UNKNOWN_TRANSIENT
+ CONTENT_TYPE_BLACKLIST
+
WS_DISPATCH
);
use constant ERROR_GENERAL => 999;
+# Blacklist content types which can lead to CSRF when using POST with JSON-RPC.
+# The default content type for JSON-RPC is application/json.
+use constant CONTENT_TYPE_BLACKLIST => qw(
+ text/plain
+ application/x-www-form-urlencoded
+ multipart/form-data
+);
+
sub WS_DISPATCH {
# We "require" here instead of "use" above to avoid a dependency loop.
require Bugzilla::Hook;
Bugzilla->input_params($params);
+ # CSRF is possible when using |Content-Type: text/plain| with POST.
+ # There are some other content types which must also be banned for
+ # security reasons.
+ my $content_type = $self->cgi->content_type;
+ # The charset can be appended to the content type, so we use a regexp.
+ if (grep { $content_type =~ m{\Q$_\E}i } CONTENT_TYPE_BLACKLIST) {
+ ThrowUserError('json_rpc_illegal_content_type',
+ { content_type => $content_type });
+ }
+
# This is the best time to do login checks.
$self->handle_login();
[%+ constants.LOGIN_LOCKOUT_INTERVAL FILTER html %] minutes.
[% END %]
+ [% ELSIF error == "json_rpc_illegal_content_type" %]
+ When using JSON-RPC over POST, you cannot use [% content_type FILTER html %]
+ as content type. The recommended content type is application/json.
+
[% ELSIF error == "json_rpc_post_only" %]
For security reasons, you may only use JSON-RPC with the POST
HTTP method.
projects / thirdparty / bugzilla.git / commitdiff
