Last Comment Bug 731219 - XMLRPC content-type verification fails if a charset is provided
: XMLRPC content-type verification fails if a charset is provided
Status: RESOLVED FIXED
: regression
Product: Bugzilla
Classification: Server Software
Component: WebService (show other bugs)
: 4.0.5
: All All
: P1 blocker (vote)
: Bugzilla 4.0
Assigned To: Byron Jones ‹:glob› [PTO until 2017-01-09]
: default-qa
:
Mentors:
: 731290 731424 (view as bug list)
Depends on: CVE-2012-0453
Blocks: 747755
  Show dependency treegraph
 
Reported: 2012-02-28 07:56 PST by Byron Jones ‹:glob› [PTO until 2017-01-09]
Modified: 2012-04-22 13:48 PDT (History)
5 users (show)
LpSolit: approval+
LpSolit: approval4.2+
LpSolit: blocking4.2.1+
LpSolit: approval4.0+
LpSolit: blocking4.0.6+
See Also:
QA Whiteboard:
Iteration: ---
Points: ---


Attachments
patch v1 (715 bytes, patch)
2012-02-28 08:06 PST, Byron Jones ‹:glob› [PTO until 2017-01-09]
dkl: review+
Details | Diff | Splinter Review

Description Byron Jones ‹:glob› [PTO until 2017-01-09] 2012-02-28 07:56:28 PST
following the change in bug 725663, if an xmlrpc client sets the charset as part of its content-type header, we're incorrect rejecting the request.

for example, ruby's xmlrpc library sends a content-type of "text/xml; charset=utf-8" which results in "Only text/xml and application/xml are allowed."
Comment 1 Byron Jones ‹:glob› [PTO until 2017-01-09] 2012-02-28 08:06:07 PST
Created attachment 601276 [details] [diff] [review]
patch v1
Comment 2 Frédéric Buclin 2012-02-28 10:42:11 PST
*** Bug 731290 has been marked as a duplicate of this bug. ***
Comment 3 David Lawrence [:dkl] 2012-02-28 11:45:33 PST
Comment on attachment 601276 [details] [diff] [review]
patch v1

Review of attachment 601276 [details] [diff] [review]:
-----------------------------------------------------------------

Looks good and passes testing r=dkl
Comment 4 Reed Loden [:reed] (use needinfo?) 2012-02-28 15:16:29 PST
*** Bug 731424 has been marked as a duplicate of this bug. ***
Comment 5 Reed Loden [:reed] (use needinfo?) 2012-02-28 15:17:13 PST
This needs to be immediately pushed to bmo, as it's causing major production issues for webtools that use the API.
Comment 6 Byron Jones ‹:glob› [PTO until 2017-01-09] 2012-02-28 20:47:09 PST
(In reply to Reed Loden [:reed] (very busy) from comment #5)
> This needs to be immediately pushed to bmo, as it's causing major production
> issues for webtools that use the API.

agreed; i'll liaise with IT and get this pushed soon.
we should also release 4.0.6 and 4.2.1
Comment 7 Byron Jones ‹:glob› [PTO until 2017-01-09] 2012-02-28 20:54:47 PST
Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bugzilla/4.0/
modified Bugzilla/WebService/Server/XMLRPC.pm
Committed revision 7699.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bugzilla/4.2/
modified Bugzilla/WebService/Server/XMLRPC.pm
Committed revision 8042.

Committing to: bzr+ssh://bjones%40mozilla.com@bzr.mozilla.org/bugzilla/trunk/
modified Bugzilla/WebService/Server/XMLRPC.pm
Committed revision 8138.
Comment 8 Byron Jones ‹:glob› [PTO until 2017-01-09] 2012-02-28 23:06:49 PST
(In reply to Byron Jones ‹:glob› from comment #6)
> (In reply to Reed Loden [:reed] (very busy) from comment #5)
> > This needs to be immediately pushed to bmo, as it's causing major production
> > issues for webtools that use the API.
> 
> agreed; i'll liaise with IT and get this pushed soon.

this fix is now live on bmo.

Note You need to log in before you can comment on or make changes to this bug.