[Buildbot-commits] [Buildbot] #2674: Check content-type in REST API POSTs
Buildbot trac
trac at buildbot.net
Tue Jan 21 23:37:06 UTC 2014
#2674: Check content-type in REST API POSTs
---------------------+--------------------
Reporter: dustin | Owner: dustin
Type: defect | Status: new
Priority: critical | Milestone: 0.9.0
Version: | Keywords:
---------------------+--------------------
Browsers can be convinced to send fairly arbitrary content to a POST at an
arbitrary URL via <form>, which could be a source of XSS attacks. The
saving grace is, browsers will only use one of a few content types. So we
should be checking the content types, and rejecting those that could be
provided by a form submission.
{{{
140 def decodeJsonRPC2(self, request):
141 # Content-Type is ignored, so that AJAX requests can be sent
without
142 # incurring CORS preflight overheads. The JSONRPC spec does
not
143 # suggest a Content-Type anyway.
}}}
.. that is not good.
(This is unreleased code, so I'm not considering this a security
vulnerability)
--
Ticket URL: <http://trac.buildbot.net/ticket/2674>
Buildbot <http://buildbot.net/>
Buildbot: build/test automation
More information about the Commits
mailing list