Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
bugzilla
Project
Project
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Registry
Registry
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
Ivan Ivlev
bugzilla
Commits
5dc75560
Commit
5dc75560
authored
Nov 09, 2009
by
mkanat%bugzilla.org
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
Bug 513593: Make the WebService taint incoming parameters
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
parent
877c8ef6
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
73 additions
and
2 deletions
+73
-2
Requirements.pm
Bugzilla/Install/Requirements.pm
+6
-0
JSONRPC.pm
Bugzilla/WebService/Server/JSONRPC.pm
+3
-0
XMLRPC.pm
Bugzilla/WebService/Server/XMLRPC.pm
+29
-0
Util.pm
Bugzilla/WebService/Util.pm
+35
-2
No files found.
Bugzilla/Install/Requirements.pm
View file @
5dc75560
...
...
@@ -233,6 +233,12 @@ sub OPTIONAL_MODULES {
feature
=>
[
'jsonrpc'
],
},
{
package
=>
'Test-Taint'
,
module
=>
'Test::Taint'
,
version
=>
0
,
feature
=>
[
'jsonrpc'
,
'xmlrpc'
],
},
{
# We need the 'utf8_mode' method of HTML::Parser, for HTML::Scrubber.
package
=>
'HTML-Parser'
,
module
=>
'HTML::Parser'
,
...
...
Bugzilla/WebService/Server/JSONRPC.pm
View file @
5dc75560
...
...
@@ -26,6 +26,7 @@ use base qw(JSON::RPC::Server::CGI Bugzilla::WebService::Server);
use
Bugzilla::
Error
;
use
Bugzilla::WebService::
Constants
;
use
Bugzilla::WebService::
Util
qw(taint_data)
;
use
Date::
Parse
;
use
DateTime
;
...
...
@@ -123,6 +124,8 @@ sub _argument_type_check {
$params
=
$params
->
[
0
];
}
taint_data
(
$params
);
# Now, convert dateTime fields on input.
$self
->
_bz_method_name
=~
/^(\S+)\.(\S+)$/
;
my
(
$class
,
$method
)
=
(
$1
,
$2
);
...
...
Bugzilla/WebService/Server/XMLRPC.pm
View file @
5dc75560
...
...
@@ -68,6 +68,18 @@ eval { require XMLRPC::Lite; };
our
@ISA
=
qw(XMLRPC::Deserializer)
;
use
Bugzilla::
Error
;
use
Scalar::
Util
qw(tainted)
;
sub
deserialize
{
my
$self
=
shift
;
my
(
$xml
)
=
@_
;
my
$som
=
$self
->
SUPER::
deserialize
(
@_
);
if
(
tainted
(
$xml
))
{
$som
->
{
_bz_do_taint
}
=
1
;
}
bless
$som
,
'Bugzilla::XMLRPC::SOM'
;
return
$som
;
}
# Some method arguments need to be converted in some way, when they are input.
sub
decode_value
{
...
...
@@ -126,6 +138,23 @@ sub _validation_subs {
1
;
package
Bugzilla::XMLRPC::
SOM
;
use
strict
;
eval
{
require
XMLRPC::
Lite
;
};
our
@ISA
=
qw(XMLRPC::SOM)
;
use
Bugzilla::WebService::
Util
qw(taint_data)
;
sub
paramsin
{
my
$self
=
shift
;
my
$params
=
$self
->
SUPER::
paramsin
(
@_
);
if
(
$self
->
{
_bz_do_taint
})
{
taint_data
(
$params
);
}
return
$params
;
}
1
;
# This package exists to fix a UTF-8 bug in SOAP::Lite.
# See http://rt.cpan.org/Public/Bug/Display.html?id=32952.
package
Bugzilla::XMLRPC::
Serializer
;
...
...
Bugzilla/WebService/Util.pm
View file @
5dc75560
...
...
@@ -21,10 +21,17 @@
package
Bugzilla::WebService::
Util
;
use
strict
;
use
base
qw(Exporter)
;
our
@EXPORT_OK
=
qw(filter validate)
;
# We have to "require", not "use" this, because otherwise it tries to
# use features of Test::More during import().
require
Test::
Taint
;
our
@EXPORT_OK
=
qw(
filter
taint_data
validate
)
;
sub
filter
($$)
{
my
(
$params
,
$hash
)
=
@_
;
...
...
@@ -44,6 +51,32 @@ sub filter ($$) {
return
\%
newhash
;
}
sub
taint_data
{
my
$params
=
shift
;
return
if
!
$params
;
# Though this is a private function, it hasn't changed since 2004 and
# should be safe to use, and prevents us from having to write it ourselves
# or require another module to do it.
Test::Taint::
_deeply_traverse
(
\&
_delete_bad_keys
,
$params
);
Test::Taint::
taint_deeply
(
$params
);
}
sub
_delete_bad_keys
{
foreach
my
$item
(
@_
)
{
next
if
ref
$item
ne
'HASH'
;
foreach
my
$key
(
keys
%
$item
)
{
# Making something a hash key always untaints it, in Perl.
# However, we need to validate our argument names in some way.
# We know that all hash keys passed in to the WebService will
# match \w+, so we delete any key that doesn't match that.
if
(
$key
!~
/^\w+$/
)
{
delete
$item
->
{
$key
};
}
}
}
return
@_
;
}
sub
validate
{
my
(
$self
,
$params
,
@keys
)
=
@_
;
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment