Backport upstream bug 1090275 to bmo/4.2 to whitelist webservice api methods

RESOLVED FIXED

Status

()

RESOLVED FIXED
4 years ago
4 years ago

People

(Reporter: dkl, Assigned: glob)

Tracking

Production
Dependency tree / graph

Details

Attachments

(1 attachment, 1 obsolete attachment)

(Reporter)

Description

4 years ago
SSIA
(Assignee)

Comment 1

4 years ago
Created attachment 8552920 [details] [diff] [review]
1124437_1.patch

taking because we need this asap, and dkl is likely to be busy with another upstream release.
Assignee: dkl → glob
Attachment #8552920 - Flags: review?(dylan)
Comment on attachment 8552920 [details] [diff] [review]
1124437_1.patch

Review of attachment 8552920 [details] [diff] [review]:
-----------------------------------------------------------------

r-

Tests pass and disallowed methods are forbidden from running. However, what I missed before is that there is no method bz_method_name() -- it is spelled _bz_method_name()
so this fails for the entirely wrong reason. And then there's ThrowCoreError instead of ThrowCodeError.

::: Bugzilla/WebService/Server/JSONRPC.pm
@@ +417,5 @@
>      }
>  
> +    # Only allowed methods to be used from our whitelist
> +    if (none { $_ eq $method} $pkg->PUBLIC_METHODS) {
> +        ThrowCoreError('unknown_method', { method => $self->bz_method_name });

Interesting typo here.
Attachment #8552920 - Flags: review?(dylan) → review-
(Reporter)

Comment 3

4 years ago
Sorry bout this. I had actually done the work last night but I had to stop before I had finished testing everything. Thanks for taking it up.
(Assignee)

Comment 4

4 years ago
Created attachment 8553559 [details] [diff] [review]
1124437_2.patch

oops :)
Attachment #8552920 - Attachment is obsolete: true
Attachment #8553559 - Flags: review?(dylan)

Updated

4 years ago
Blocks: 1125208
Comment on attachment 8553559 [details] [diff] [review]
1124437_2.patch

Review of attachment 8553559 [details] [diff] [review]:
-----------------------------------------------------------------

r=dylan

with the note that I haven't exhaustively called every method. I did spot check and compare the public methods to the apparent public methods of the classes (especially in the case of extensions)
Attachment #8553559 - Flags: review?(dylan) → review+
(Assignee)

Comment 6

4 years ago
To ssh://gitolite3@git.mozilla.org/webtools/bmo/bugzilla.git
   cd92366..a748745  master -> master
Status: ASSIGNED → RESOLVED
Last Resolved: 4 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.