[Bug 4257] New: hgext/bugzilla xmlrpc is broken by a security change in Bugzilla 4.4.2

Wed May 21 08:32:22 CDT 2014

http://bz.selenic.com/show_bug.cgi?id=4257

          Priority: normal
            Bug ID: 4257
                CC: mercurial-devel at selenic.com
          Assignee: bugzilla at selenic.com
           Summary: hgext/bugzilla xmlrpc is broken by a security change
                    in Bugzilla 4.4.2
          Severity: bug
    Classification: Unclassified
                OS: All
          Reporter: lloydsensei+mercurial at gmail.com
          Hardware: All
            Status: UNCONFIRMED
           Version: unspecified
         Component: Mercurial
           Product: Mercurial

Upon running the hook on a commit with a message containing "Bug 251", the
following error is issued:

Bugzilla error: <Fault 410: 'You must log in before using this part of
Bugzilla.'>

I investigated the issue, and this is due to a change in Bugzilla 4.4.2 which
no longer accepts login via cookie on GET request to prevent malicious websites
to use JSONP to gain access to the user's bugzilla account.

IN SHORT : hext/bugzilla is using an unsecure mean of communication with the
bugzilla bug tracker, and that insecure mean of communication was disabled in
the 4.4.2 release of Bugzilla.

Regards,
Camusensei

-- 
You are receiving this mail because:
You are on the CC list for the bug.