November 24, 2009

Bugzilla API 0.3 Released

Version 0.3 of the Bugzilla REST API has been released. New in this version:

  • name=value search for arbitrary fields; e.g "&cf_mycustomfield=somevalue"
  • All timestamps are now in UTC, ISO 8601 format
  • Support for OPTIONS
  • Access-Control-Allow-Origin header now on all responses (permits cross-site requests)
  • Support for downloading bug data for multiple bugs, in full, in a single request (see docs for search to find out how)
  • Text searches now default to "contains_all" (as substrings, space-sep)
  • Initial support for decent error codes - however, don't rely on them not changing!

Compatibility Notes:

  • Note that the timestamps format change is backwardly-incompatible.
  • All API capabilities now work against bugzilla.mozilla.org, now that it's been upgraded and patched.
  • An advance warning: in the next release, the Configuration object's "groups" hash will change to be keyed by ID rather than name (and so also the "id" field will disappear to be replaced by a "name" field).

File bugs | Feedback and discussion.

Posted by gerv at November 24, 2009 5:01 PM | TrackBack
Comments

Won't allowing cross-site requests open the door for CSRF attacks on bugzilla from random webpages?

Posted by: Ted Mielczarek at November 25, 2009 5:03 PM

Ted: No, I don't think so, because all Bugzilla API URLs require authentication parameters on the URL. It doesn't use cookie auth or HTTP Basic Auth.

If that still leaves us open to CSRF, tell me how, quick! :-)

Gerv

Posted by: Gerv at November 25, 2009 5:59 PM
Post a comment





(not published)




Remember personal info?


This entry box accepts some HTML. You will need to escape < as &lt; and > as &gt;. Useful tags: <blockquote>, <b>.