aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKoosha Khajeh Moogahi <koosha.khajeh@gmail.com>2012-10-12 19:46:07 +0200
committerFrédéric Buclin <LpSolit@gmail.com>2012-10-12 19:46:07 +0200
commit73958ee239e7c28d394bdbd37081cfaa7c1bc7ed (patch)
tree1e675a29fb724e7c6d07b1d4b41720e1da72b7cc
parentd642d81c9c3438b3778e8d03d00804bc4f7732b0 (diff)
downloadbugs-73958ee239e7c28d394bdbd37081cfaa7c1bc7ed.tar
bugs-73958ee239e7c28d394bdbd37081cfaa7c1bc7ed.tar.gz
bugs-73958ee239e7c28d394bdbd37081cfaa7c1bc7ed.tar.bz2
bugs-73958ee239e7c28d394bdbd37081cfaa7c1bc7ed.tar.xz
bugs-73958ee239e7c28d394bdbd37081cfaa7c1bc7ed.zip
Bug 793826: Prevent private web service methods from being called
r=dkl a=LpSolit
-rw-r--r--Bugzilla/WebService/Server.pm4
1 files changed, 3 insertions, 1 deletions
diff --git a/Bugzilla/WebService/Server.pm b/Bugzilla/WebService/Server.pm
index 5f1795178..5634aa0fe 100644
--- a/Bugzilla/WebService/Server.pm
+++ b/Bugzilla/WebService/Server.pm
@@ -17,7 +17,9 @@ use Scalar::Util qw(blessed);
sub handle_login {
my ($self, $class, $method, $full_method) = @_;
- ThrowCodeError('unknown_method', {method => $full_method}) if !$class;
+ # Throw error if the supplied class does not exist or the method is private
+ ThrowCodeError('unknown_method', {method => $full_method}) if (!$class or $method =~ /^_/);
+
eval "require $class";
ThrowCodeError('unknown_method', {method => $full_method}) if $@;
return if ($class->login_exempt($method)