From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 31 Jan 2012 16:01:20 +0000 (+0100)
Subject: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to... 
X-Git-Tag: bugzilla-4.2rc2~1
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=0b14241a7c307a2619cb67cee42086b30fa03795;p=thirdparty%2Fbugzilla.git

(CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required)
r=mkanat a=LpSolit

https://bugzilla.mozilla.org/show_bug.cgi?id=718319
---

diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 3b232aafaf..cec1c29ea2 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -365,7 +365,19 @@ sub _argument_type_check {
 
     Bugzilla->input_params($params);
 
-    if ($self->request->method ne 'POST') {
+    if ($self->request->method eq 'POST') {
+        # CSRF is possible via XMLHttpRequest when the Content-Type header
+        # is not application/json (for example: text/plain or
+        # application/x-www-form-urlencoded).
+        # application/json is the single official MIME type, per RFC 4627.
+        my $content_type = $self->cgi->content_type;
+        # The charset can be appended to the content type, so we use a regexp.
+        if ($content_type !~ m{^application/json(-rpc)?(;.*)?$}i) {
+            ThrowUserError('json_rpc_illegal_content_type',
+                            { content_type => $content_type });
+        }
+    }
+    else {
         # When being called using GET, we don't allow calling
         # methods that can change data. This protects us against cross-site
         # request forgeries.
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index dc0a94ac7f..9e99dae155 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1018,6 +1018,11 @@
     parameter. See the documentation at
     [%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html
 
+  [% ELSIF error == "json_rpc_illegal_content_type" %]
+    When using JSON-RPC over POST, you cannot send data as
+    [%+ content_type FILTER html %]. Only application/json and
+    application/json-rpc are allowed.
+
   [% ELSIF error == "json_rpc_invalid_params" %]
     Could not parse the 'params' argument as valid JSON.
     Error: [% err_msg FILTER html %]