#2674: Check content-type in REST API POSTs
---------------------+--------------------
Reporter: dustin | Owner: dustin
Type: defect | Status: new
Priority: critical | Milestone: 0.9.0
Version: | Keywords:
---------------------+--------------------
Browsers can be convinced to send fairly arbitrary content to a POST at an
arbitrary URL via <form>, which could be a source of XSS attacks. The
saving grace is, browsers will only use one of a few content types. So we
should be checking the content types, and rejecting those that could be
provided by a form submission.
{{{
140 def decodeJsonRPC2(self, request):
141 # Content-Type is ignored, so that AJAX requests can be sent
without
142 # incurring CORS preflight overheads. The JSONRPC spec does
not
143 # suggest a Content-Type anyway.
}}}
.. that is not good.
(This is unreleased code, so I'm not considering this a security
vulnerability)
--
Ticket URL: <http://trac.buildbot.net/ticket/2674>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation
------------------------------------------------------------------------------
CenturyLink Cloud: The Leader in Enterprise Cloud Services.
Learn Why More Businesses Are Choosing CenturyLink Cloud For
Critical Workloads, Development Environments & Everything In Between.
Get a Quote or Start a Free Trial Today.
http://pubads.g.doubleclick.net/gampad/clk?id=119420431&iu=/4140/ostg.clktrk
_______________________________________________
Buildbot-commits mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/buildbot-commits
