Bommels05/Mozilla
Bommels05/Mozilla
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Bug 1141440: OPTION response for CORS requests to REST doesn't allow X-Bugzilla headers

Browse Source 
r=glob,a=glob


git-svn-id: svn://10.0.0.236/trunk@265855 18797224-902f-48f8-a5cc-f745e15eee43
This commit is contained in:
bzrmirror%bugzilla.org 2015-03-11 14:45:50 +00:00
parent f3dd00e22f
commit 07f9e6cbe0
5 changed files with 21 additions and 13 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
mozilla/webtools/bugzilla/.bzrrev
View File

@ -1 +1 @@
9327 9328

2
mozilla/webtools/bugzilla/.gitrev
View File

@ -1 +1 @@
74fb163c93ccb10475f507b4b1fe7f4817990a10 c3b984aa204bdb318b05302ab50702b789c305b0

12
mozilla/webtools/bugzilla/Bugzilla/WebService/Constants.pm
View File

@ -33,6 +33,8 @@ our @EXPORT = qw(
REST_CONTENT_TYPE_WHITELIST REST_CONTENT_TYPE_WHITELIST
WS_DISPATCH WS_DISPATCH
API_AUTH_HEADERS
); );
# This maps the error names in global/*-error.html.tmpl to numbers. # This maps the error names in global/*-error.html.tmpl to numbers.
@ -313,6 +315,16 @@ sub WS_DISPATCH {
return $dispatch; return $dispatch;
}; };
# Custom HTTP headers that can be used for API authentication rather than
# passing as URL parameters. This is useful if you do not want sensitive
# information to show up in webserver log files.
use constant API_AUTH_HEADERS => {
X_BUGZILLA_LOGIN => 'Bugzilla_login',
X_BUGZILLA_PASSWORD => 'Bugzilla_password',
X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
X_BUGZILLA_TOKEN => 'Bugzilla_token',
};
1; 1;
=head1 B<Methods in need of POD> =head1 B<Methods in need of POD>

4
mozilla/webtools/bugzilla/Bugzilla/WebService/Server/REST.pm
View File

@ -134,8 +134,10 @@ sub response {
{ rpc => $self, result => \$result, response => $response }); { rpc => $self, result => \$result, response => $response });
# Access Control # Access Control
my @allowed_headers = (qw(accept content-type origin x-requested-with),
map { tr/A-Z_/a-z\-/r } keys API_AUTH_HEADERS());
$response->header("Access-Control-Allow-Origin", "*"); $response->header("Access-Control-Allow-Origin", "*");
$response->header("Access-Control-Allow-Headers", "origin, content-type, accept, x-requested-with"); $response->header("Access-Control-Allow-Headers", join(', ', @allowed_headers));
# ETag support # ETag support
my $etag = $self->bz_etag; my $etag = $self->bz_etag;

14
mozilla/webtools/bugzilla/Bugzilla/WebService/Util.pm
View File

@ -14,6 +14,7 @@ use warnings;
use Bugzilla::Flag; use Bugzilla::Flag;
use Bugzilla::FlagType; use Bugzilla::FlagType;
use Bugzilla::Error; use Bugzilla::Error;
use Bugzilla::WebService::Constants;
use Storable qw(dclone); use Storable qw(dclone);
use URI::Escape qw(uri_unescape); use URI::Escape qw(uri_unescape);
@ -261,22 +262,15 @@ sub params_to_objects {
return \@objects; return \@objects;
} }
use constant X_HEADERS => {
X_BUGZILLA_LOGIN => 'Bugzilla_login',
X_BUGZILLA_PASSWORD => 'Bugzilla_password',
X_BUGZILLA_API_KEY => 'Bugzilla_api_key',
X_BUGZILLA_TOKEN => 'Bugzilla_token',
};
sub fix_credentials { sub fix_credentials {
my ($params, $cgi) = @_; my ($params, $cgi) = @_;
# Allow user to pass in authentication details in X-Headers # Allow user to pass in authentication details in X-Headers
# This allows callers to keep credentials out of GET request query-strings # This allows callers to keep credentials out of GET request query-strings
if ($cgi) { if ($cgi) {
foreach my $field (keys %{ X_HEADERS() }) { foreach my $field (keys %{ API_AUTH_HEADERS() }) {
next if exists $params->{X_HEADERS->{$field}} || $cgi->http($field) // '' eq ''; next if exists $params->{API_AUTH_HEADERS->{$field}} || ($cgi->http($field) // '') eq '';
$params->{X_HEADERS->{$field}} = uri_unescape($cgi->http($field)); $params->{API_AUTH_HEADERS->{$field}} = uri_unescape($cgi->http($field));
} }
} }