diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev index 80726f330f2..15a8c2a15c5 100644 --- a/mozilla/webtools/bugzilla/.bzrrev +++ b/mozilla/webtools/bugzilla/.bzrrev @@ -1 +1 @@ -9327 \ No newline at end of file +9328 \ No newline at end of file diff --git a/mozilla/webtools/bugzilla/.gitrev b/mozilla/webtools/bugzilla/.gitrev index 068d122952d..d56b741eaff 100644 --- a/mozilla/webtools/bugzilla/.gitrev +++ b/mozilla/webtools/bugzilla/.gitrev @@ -1 +1 @@ -74fb163c93ccb10475f507b4b1fe7f4817990a10 \ No newline at end of file +c3b984aa204bdb318b05302ab50702b789c305b0 \ No newline at end of file diff --git a/mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm b/mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm index cf26665514d..42aa600ee40 100644 --- a/mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm +++ b/mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm @@ -33,6 +33,8 @@ our @EXPORT = qw( REST_CONTENT_TYPE_WHITELIST WS_DISPATCH + + API_AUTH_HEADERS ); # This maps the error names in global/*-error.html.tmpl to numbers. @@ -313,6 +315,16 @@ sub WS_DISPATCH { return $dispatch; }; +# Custom HTTP headers that can be used for API authentication rather than +# passing as URL parameters. This is useful if you do not want sensitive +# information to show up in webserver log files. +use constant API_AUTH_HEADERS => { + X_BUGZILLA_LOGIN => 'Bugzilla_login', + X_BUGZILLA_PASSWORD => 'Bugzilla_password', + X_BUGZILLA_API_KEY => 'Bugzilla_api_key', + X_BUGZILLA_TOKEN => 'Bugzilla_token', +}; + 1; =head1 B diff --git a/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/REST.pm b/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/REST.pm index d02ba5523a1..9c9141c09fa 100644 --- a/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/REST.pm +++ b/mozilla/webtools/bugzilla/Bugzilla/WebService/Server/REST.pm @@ -134,8 +134,10 @@ sub response { { rpc => $self, result => \$result, response => $response }); # Access Control + my @allowed_headers = (qw(accept content-type origin x-requested-with), + map { tr/A-Z_/a-z\-/r } keys API_AUTH_HEADERS()); $response->header("Access-Control-Allow-Origin", "*"); - $response->header("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with"); + $response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers)); # ETag support my $etag = $self->bz_etag; diff --git a/mozilla/webtools/bugzilla/Bugzilla/WebService/Util.pm b/mozilla/webtools/bugzilla/Bugzilla/WebService/Util.pm index 4eae66bd371..cbbc47921ad 100644 --- a/mozilla/webtools/bugzilla/Bugzilla/WebService/Util.pm +++ b/mozilla/webtools/bugzilla/Bugzilla/WebService/Util.pm @@ -14,6 +14,7 @@ use warnings; use Bugzilla::Flag; use Bugzilla::FlagType; use Bugzilla::Error; +use Bugzilla::WebService::Constants; use Storable qw(dclone); use URI::Escape qw(uri_unescape); @@ -261,22 +262,15 @@ sub params_to_objects { return \@objects; } -use constant X_HEADERS => { - X_BUGZILLA_LOGIN => 'Bugzilla_login', - X_BUGZILLA_PASSWORD => 'Bugzilla_password', - X_BUGZILLA_API_KEY => 'Bugzilla_api_key', - X_BUGZILLA_TOKEN => 'Bugzilla_token', -}; - sub fix_credentials { my ($params, $cgi) = @_; # Allow user to pass in authentication details in X-Headers # This allows callers to keep credentials out of GET request query-strings if ($cgi) { - foreach my $field (keys %{ X_HEADERS() }) { - next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) // '' eq ''; - $params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field)); + foreach my $field (keys %{ API_AUTH_HEADERS() }) { + next if exists $params->{API_AUTH_HEADERS->{$field}} || ($cgi->http($field) // '') eq ''; + $params->{API_AUTH_HEADERS->{$field}} = uri_unescape($cgi->http($field)); } }