From 0af9c776bc5223556c9140378a7a1ab76d94a7c0 Mon Sep 17 00:00:00 2001
From: Dave Lawrence <dlawrence@mozilla.com>
Date: Wed, 22 Feb 2012 10:48:50 -0500
Subject: Bug 725663 - (CVE-2012-0453) [SECURITY] CSRF vulnerability in the
 XML-RPC API when using mod_perl r/a=LpSolit

---
 Bugzilla/WebService/Constants.pm | 8 ++++++++
 1 file changed, 8 insertions(+)

(limited to 'Bugzilla/WebService/Constants.pm')

diff --git a/Bugzilla/WebService/Constants.pm b/Bugzilla/WebService/Constants.pm
index c2eaa0cb2..491970291 100644
--- a/Bugzilla/WebService/Constants.pm
+++ b/Bugzilla/WebService/Constants.pm
@@ -14,6 +14,7 @@ our @EXPORT = qw(
     WS_ERROR_CODE
     ERROR_UNKNOWN_FATAL
     ERROR_UNKNOWN_TRANSIENT
+    XMLRPC_CONTENT_TYPE_WHITELIST
 
     WS_DISPATCH
 );
@@ -162,6 +163,8 @@ use constant WS_ERROR_CODE => {
     unknown_method       => -32601,
     json_rpc_post_only   => 32610,
     json_rpc_invalid_callback => 32611,
+    xmlrpc_illegal_content_type   => 32612, 
+    json_rpc_illegal_content_type => 32613, 
 };
 
 # These are the fallback defaults for errors not in ERROR_CODE.
@@ -170,6 +173,11 @@ use constant ERROR_UNKNOWN_TRANSIENT => 32000;
 
 use constant ERROR_GENERAL       => 999;
 
+use constant XMLRPC_CONTENT_TYPE_WHITELIST => qw(
+    text/xml
+    application/xml
+);
+
 sub WS_DISPATCH {
     # We "require" here instead of "use" above to avoid a dependency loop.
     require Bugzilla::Hook;
-- 
cgit v1.2.1