Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Bugzilla API 0.5 Released (including security fix)

5 views
Skip to first unread message

Gervase Markham

unread,
Mar 17, 2010, 6:08:03 AM3/17/10
to
Version 0.5 of the Bugzilla REST API has been released:
https://wiki.mozilla.org/Bugzilla:REST_API

Note: versions 0.4.1 and below have a security issue[0] which could,
under some circumstances, allow one user to impersonate another. If you
are specifically using these versions (rather than the "latest" version)
please update your client software to use version 0.5.

New In 0.5:

* Performance instrumentation. I have added code which records how long
requests take, so I can see whether the bottlenecks are, if any.

If you are having performance issues with the API, _please_ file bugs
and tell me what is slow!

* JSONP support. Use "Accept: application/javascript" and pass a
"callback=myfunction" parameter, and you will get JSONP served
as application/javascript.

Compatibility Notes:

* The range of content types that the API can return is now restricted
to:
- YAML-HTML (for browsing) - text/html
- JSON - application/json
- JSONP - application/javascript
- XML (utterly unfrozen!) - application/xml

* The deprecated "count=1" parameter to bug searches to get a count has
been removed.

File bugs:
https://bugzilla.mozilla.org/enter_bug.cgi?product=Webtools&component=BzAPI

Feedback and discussion:
http://www.mozilla.org/community/developer-forums.html#tools

Gerv

[0] https://bugzilla.mozilla.org/show_bug.cgi?id=552399 . This bug will
be opened in a few days.

Gervase Markham

unread,
Mar 22, 2010, 8:53:03 AM3/22/10
to
On 17/03/10 10:08, Gervase Markham wrote:
> Note: versions 0.4.1 and below have a security issue[0] which could,
> under some circumstances, allow one user to impersonate another. If you
> are specifically using these versions (rather than the "latest" version)
> please update your client software to use version 0.5.

Further to this: 0.1 to 0.3 have already been disabled on the api-dev
server, and 0.4 and 0.4.1 should be considered seriously endangered
species. Please upgrade your tools and apps to use /0.5 or /latest ASAP.

Gerv

Axel Hecht

unread,
Mar 22, 2010, 10:13:18 AM3/22/10
to

Do you have a list of clients? AFAICT, my app sends a Referer header,
probably could check your logs for that.

Axel

Shawn Wilsher

unread,
Mar 22, 2010, 10:35:43 AM3/22/10
to to...@lists.mozilla.org
On 3/22/2010 5:53 AM, Gervase Markham wrote:
> Further to this: 0.1 to 0.3 have already been disabled on the api-dev
> server, and 0.4 and 0.4.1 should be considered seriously endangered
> species. Please upgrade your tools and apps to use /0.5 or /latest ASAP.
Ah, so that's why my add-on stopped working.

Cheers,

Shawn

Gervase Markham

unread,
Mar 22, 2010, 11:25:22 AM3/22/10
to
On 22/03/10 14:13, Axel Hecht wrote:
> Do you have a list of clients? AFAICT, my app sends a Referer header,
> probably could check your logs for that.

I'm not seeing Referer headers for most requests. There are some user
agent headers, but nothing specific. Python is popular :-)

Gerv

Shawn Wilsher

unread,
Mar 22, 2010, 12:45:11 PM3/22/10
to to...@lists.mozilla.org
On 3/22/2010 8:25 AM, Gervase Markham wrote:
> I'm not seeing Referer headers for most requests. There are some user
> agent headers, but nothing specific. Python is popular :-)
Would you like us to use referrer headers so you can see who's using
what (not required, but suggested)? If so, I can add support to that
for my add-on.

Cheers,

Shawn

0 new messages