From: Frédéric Buclin <LpSolit@gmail.com>
Date: Tue, 31 Jan 2012 16:03:30 +0000 (+0100)
Subject: Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and... 
X-Git-Tag: bugzilla-4.0.4~2
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=27ca66c3815bb9658c831c986e0ebd2716ed426a;p=thirdparty%2Fbugzilla.git

Bug 718319: (CVE-2012-0440) [SECURITY] JSON-RPC permits to bypass token checks and can lead to CSRF (no victim's action required)
r=mkanat a=LpSolit
---

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index 8881974cd0..2c95f1eec2 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -25,6 +25,8 @@ our @EXPORT = qw(
     ERROR_UNKNOWN_FATAL
     ERROR_UNKNOWN_TRANSIENT
 
+    CONTENT_TYPE_BLACKLIST
+
     WS_DISPATCH
 );
 
@@ -167,6 +169,14 @@ use constant ERROR_UNKNOWN_TRANSIENT => 32000;
 
 use constant ERROR_GENERAL       => 999;
 
+# Blacklist content types which can lead to CSRF when using POST with JSON-RPC.
+# The default content type for JSON-RPC is application/json.
+use constant CONTENT_TYPE_BLACKLIST => qw(
+    text/plain
+    application/x-www-form-urlencoded
+    multipart/form-data
+);
+
 sub WS_DISPATCH {
     # We "require" here instead of "use" above to avoid a dependency loop.
     require Bugzilla::Hook;
diff --git a/Bugzilla/WebService/Server/JSONRPC.pm b/Bugzilla/WebService/Server/JSONRPC.pm
index 3b232aafaf..5ee341b4b1 100644
--- a/Bugzilla/WebService/Server/JSONRPC.pm
+++ b/Bugzilla/WebService/Server/JSONRPC.pm
@@ -374,6 +374,17 @@ sub _argument_type_check {
                            { method => $self->_bz_method_name });
         }
     }
+    else {
+        # CSRF is also possible when using |Content-Type: text/plain| with POST.
+        # There are some other content types which must also be banned for
+        # security reasons.
+        my $content_type = $self->cgi->content_type;
+        # The charset can be appended to the content type, so we use a regexp.
+        if (grep { $content_type =~ m{\Q$_\E}i } CONTENT_TYPE_BLACKLIST) {
+            ThrowUserError('json_rpc_illegal_content_type',
+                            { content_type => $content_type });
+        }
+    }
 
     # This is the best time to do login checks.
     $self->handle_login();
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index b4be5d86a6..5634a7af3e 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -1003,6 +1003,10 @@
     parameter. See the documentation at
     [%+ docs_urlbase FILTER html %]api/Bugzilla/WebService/Server/JSONRPC.html
 
+  [% ELSIF error == "json_rpc_illegal_content_type" %]
+    When using JSON-RPC over POST, you cannot use [% content_type FILTER html %]
+    as content type. The recommended content type is application/json.
+
   [% ELSIF error == "json_rpc_invalid_params" %]
     Could not parse the 'params' argument as valid JSON.
     Error: [% err_msg FILTER html %]