fix security hole, instead white-listing allowed HTTP methods

karpet · Aug 31, 2012 · 69d53fd · 69d53fd
1 parent 468a6ae
commit 69d53fd
Show file tree

Hide file tree

Showing 5 changed files with 19 additions and 7 deletions.
diff --git a/Changes b/Changes
@@ -60,3 +60,8 @@ Revision history for Search-OpenSearch-Server
           those methods specific to a Plack::Component.
         * fix some undefined object errors 
 
+0.17    xxx
+        * use Engine->get_allowed_rest_methods instead of hardcoded list
+        * fix security hole where arbitrary Perl methods could be called via HTTP
+          like RPC.
+
diff --git a/Makefile.PL b/Makefile.PL
@@ -7,7 +7,7 @@ name 'Search-OpenSearch-Server';
 perl_version '5.8.3';
 all_from 'lib/Search/OpenSearch/Server.pm';
 requires 'Test::More'         => 0;
-requires 'Search::OpenSearch' => 0.18;
+requires 'Search::OpenSearch' => 0.20;
 requires 'Plack'              => 0;
 requires 'JSON'               => 0;
 

diff --git a/lib/Search/OpenSearch/Result.pm b/lib/Search/OpenSearch/Result.pm
@@ -8,7 +8,7 @@ use overload
     'bool'   => sub {1},
     fallback => 1;
 
-our $VERSION = '0.16';
+our $VERSION = '0.16_01';
 
 __PACKAGE__->mk_accessors(
     qw(

diff --git a/lib/Search/OpenSearch/Server.pm b/lib/Search/OpenSearch/Server.pm
@@ -10,7 +10,7 @@ use Data::Dump qw( dump );
 use JSON;
 use Time::HiRes qw( time );
 
-our $VERSION = '0.16';
+our $VERSION = '0.16_01';
 
 my %formats = (
     'XML'   => 1,
@@ -129,9 +129,13 @@ sub do_rest_api {
         croak "engine() is undefined";
     }
 
-    if ( !$engine->can($method) ) {
+    my @allowed_methods = $engine->get_allowed_rest_methods();
+
+    if (   !$engine->can($method)
+        or !grep { $_ eq $method } @allowed_methods )
+    {
         $response->status(405);
-        $response->header( 'Allow' => 'GET, POST, PUT, DELETE' );
+        $response->header( 'Allow' => join( ', ', @allowed_methods ) );
         $response->body(
             Search::OpenSearch::Result->new(
                 {   success => 0,
@@ -170,7 +174,10 @@ sub do_rest_api {
 
         #warn dump $doc;
 
-        if ( $doc->{url} eq '/' or $doc->{url} eq "" ) {
+        if (    ( $doc->{url} eq '/' or $doc->{url} eq "" )
+            and $method ne "COMMIT"
+            and $method ne "ROLLBACK" )
+        {
 
             #warn "invalid url";
             $response->status(400);

diff --git a/lib/Search/OpenSearch/Server/Plack.pm b/lib/Search/OpenSearch/Server/Plack.pm
@@ -12,7 +12,7 @@ use JSON;
 use Scalar::Util qw( weaken );
 use Time::HiRes qw( time );
 
-our $VERSION = '0.16';
+our $VERSION = '0.16_01';
 
 sub prepare_app {
     my $self = shift;