summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorreed%reedloden.com <>2008-08-23 06:38:55 +0200
committerreed%reedloden.com <>2008-08-23 06:38:55 +0200
commitd8b02aff4ed586f38a56caaafcb0374edc16d519 (patch)
treea605c395912f4ee79e299a7701fb62ffce82cca6
parentd68db405497ae121a123843ff478c8c703523094 (diff)
downloadbugzilla-d8b02aff4ed586f38a56caaafcb0374edc16d519.tar.gz
bugzilla-d8b02aff4ed586f38a56caaafcb0374edc16d519.tar.xz
Bug 368502 - "Bugzilla_logincookie should not be accessible via javascript" [p=reed r+a=mkanat]
-rw-r--r--Bugzilla/Auth/Persist/Cookie.pm9
-rw-r--r--Bugzilla/Install/Requirements.pm3
-rw-r--r--template/en/default/pages/release-notes.html.tmpl2
3 files changed, 9 insertions, 5 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 3faa892ae..4928068e5 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -76,17 +76,20 @@ sub persist_login {
{
$cgi->send_cookie(-name => 'Bugzilla_login',
-value => $user->id,
+ -httponly => 1,
-expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
$cgi->send_cookie(-name => 'Bugzilla_logincookie',
-value => $login_cookie,
+ -httponly => 1,
-expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
-
}
else {
$cgi->send_cookie(-name => 'Bugzilla_login',
- -value => $user->id);
+ -value => $user->id,
+ -httponly => 1);
$cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -value => $login_cookie);
+ -value => $login_cookie,
+ -httponly => 1);
}
}
diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm
index fd3dcf589..2216d963d 100644
--- a/Bugzilla/Install/Requirements.pm
+++ b/Bugzilla/Install/Requirements.pm
@@ -61,7 +61,8 @@ sub REQUIRED_MODULES {
module => 'CGI',
# Perl 5.10 requires CGI 3.33 due to a taint issue when
# uploading attachments, see bug 416382.
- version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '2.93'
+ # Require CGI 3.21 for -httponly support, see bug 368502.
+ version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '3.21'
},
{
package => 'TimeDate',
diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index 487e648b9..fad39ea47 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -79,7 +79,7 @@
[% INCLUDE req_table reqs = REQUIRED_MODULES
new = []
updated = ['Template-Toolkit', 'Email-MIME',
- 'Email-MIME-Modifier'] %]
+ 'Email-MIME-Modifier', 'CGI'] %]
<h3><a name="v32_req_optional_mod"></a>Optional Perl Modules</h3>