From: Dave Lawrence Date: Wed, 22 Feb 2012 15:19:27 +0000 (-0500) Subject: Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the XML-RPC API when... X-Git-Tag: bugzilla-4.0.5~1 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=503e175ec7e67fc7a81b5d9d02a4888fe2060784;p=thirdparty%2Fbugzilla.git Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the XML-RPC API when using mod_perl r/a=LpSolit --- diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm index 2c95f1eec2..c1230e3aed 100644 --- a/Bugzilla/WebService/Constants.pm +++ b/Bugzilla/WebService/Constants.pm @@ -24,6 +24,7 @@ our @EXPORT = qw( WS_ERROR_CODE ERROR_UNKNOWN_FATAL ERROR_UNKNOWN_TRANSIENT + XMLRPC_CONTENT_TYPE_WHITELIST CONTENT_TYPE_BLACKLIST @@ -161,6 +162,8 @@ use constant WS_ERROR_CODE => { unknown_method => -32601, json_rpc_post_only => 32610, json_rpc_invalid_callback => 32611, + xmlrpc_illegal_content_type => 32612, + json_rpc_illegal_content_type => 32613, }; # These are the fallback defaults for errors not in ERROR_CODE. @@ -177,6 +180,11 @@ use constant CONTENT_TYPE_BLACKLIST => qw( multipart/form-data ); +use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw( + text/xml + application/xml +); + sub WS_DISPATCH { # We "require" here instead of "use" above to avoid a dependency loop. require Bugzilla::Hook; diff --git a/Bugzilla/WebService/Server/XMLRPC.pm b/Bugzilla/WebService/Server/XMLRPC.pm index b74d0eebdb..94d44fd019 100644 --- a/Bugzilla/WebService/Server/XMLRPC.pm +++ b/Bugzilla/WebService/Server/XMLRPC.pm @@ -72,10 +72,18 @@ use XMLRPC::Lite; our @ISA = qw(XMLRPC::Deserializer); use Bugzilla::Error; +use Bugzilla::WebService::Constants qw(XMLRPC_CONTENT_TYPE_WHITELIST); use Scalar::Util qw(tainted); sub deserialize { my $self = shift; + + # Only allow certain content types to protect against CSRF attacks + if (!grep($_ eq $ENV{'CONTENT_TYPE'}, XMLRPC_CONTENT_TYPE_WHITELIST)) { + ThrowUserError('xmlrpc_illegal_content_type', + { content_type => $ENV{'CONTENT_TYPE'} }); + } + my ($xml) = @_; my $som = $self->SUPER::deserialize(@_); if (tainted($xml)) { diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 5634a7af3e..9e11e36a69 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -1685,6 +1685,11 @@ <[% type FILTER html %]> field. (See the XML-RPC specification for details.) + [% ELSIF error == "xmlrpc_illegal_content_type" %] + When using XML-RPC, you cannot send data as + [%+ content_type FILTER html %]. Only text/xml + and application/xml are allowed. + [% ELSIF error == "zero_length_file" %] [% title = "File Is Empty" %] The file you are trying to attach is empty, does not exist, or you don't