diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2014-02-17 07:43:44 +0100 |
---|---|---|
committer | Byron Jones <bjones@mozilla.com> | 2014-02-17 07:43:44 +0100 |
commit | 82b6c8305d7bdce96e5569de113d45f040d4acb7 (patch) | |
tree | c10f54c07dba519153b289b5a9e0ac2f4c042cf5 | |
parent | f370ed27d0439ff05a6cdb86d634163fe3cc2bf1 (diff) | |
download | bugzilla-82b6c8305d7bdce96e5569de113d45f040d4acb7.tar.gz bugzilla-82b6c8305d7bdce96e5569de113d45f040d4acb7.tar.xz |
Bug 966676: The 'sudo' cookie should not be accessible from JavaScript
-rwxr-xr-x | relogin.cgi | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/relogin.cgi b/relogin.cgi index 07796f9f6..295d199c5 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -152,11 +152,18 @@ elsif ($action eq 'begin-sudo') { # For future sessions, store the unique ID of the target user my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id); + + my %args; + if (Bugzilla->params->{ssl_redirect}) { + $args{'-secure'} = 1; + } + $cgi->send_cookie('-name' => 'sudo', '-expires' => $time_string, - '-value' => $token - ); - + '-value' => $token, + '-httponly' => 1, + %args); + # For the present, change the values of Bugzilla::user & Bugzilla::sudoer Bugzilla->sudo_request($target_user, $user); |