diff options
author | reed%reedloden.com <> | 2008-08-23 06:38:55 +0200 |
---|---|---|
committer | reed%reedloden.com <> | 2008-08-23 06:38:55 +0200 |
commit | d8b02aff4ed586f38a56caaafcb0374edc16d519 (patch) | |
tree | a605c395912f4ee79e299a7701fb62ffce82cca6 | |
parent | d68db405497ae121a123843ff478c8c703523094 (diff) | |
download | bugzilla-d8b02aff4ed586f38a56caaafcb0374edc16d519.tar.gz bugzilla-d8b02aff4ed586f38a56caaafcb0374edc16d519.tar.xz |
Bug 368502 - "Bugzilla_logincookie should not be accessible via javascript" [p=reed r+a=mkanat]
-rw-r--r-- | Bugzilla/Auth/Persist/Cookie.pm | 9 | ||||
-rw-r--r-- | Bugzilla/Install/Requirements.pm | 3 | ||||
-rw-r--r-- | template/en/default/pages/release-notes.html.tmpl | 2 |
3 files changed, 9 insertions, 5 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index 3faa892ae..4928068e5 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -76,17 +76,20 @@ sub persist_login { { $cgi->send_cookie(-name => 'Bugzilla_login', -value => $user->id, + -httponly => 1, -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); $cgi->send_cookie(-name => 'Bugzilla_logincookie', -value => $login_cookie, + -httponly => 1, -expires => 'Fri, 01-Jan-2038 00:00:00 GMT'); - } else { $cgi->send_cookie(-name => 'Bugzilla_login', - -value => $user->id); + -value => $user->id, + -httponly => 1); $cgi->send_cookie(-name => 'Bugzilla_logincookie', - -value => $login_cookie); + -value => $login_cookie, + -httponly => 1); } } diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm index fd3dcf589..2216d963d 100644 --- a/Bugzilla/Install/Requirements.pm +++ b/Bugzilla/Install/Requirements.pm @@ -61,7 +61,8 @@ sub REQUIRED_MODULES { module => 'CGI', # Perl 5.10 requires CGI 3.33 due to a taint issue when # uploading attachments, see bug 416382. - version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '2.93' + # Require CGI 3.21 for -httponly support, see bug 368502. + version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '3.21' }, { package => 'TimeDate', diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl index 487e648b9..fad39ea47 100644 --- a/template/en/default/pages/release-notes.html.tmpl +++ b/template/en/default/pages/release-notes.html.tmpl @@ -79,7 +79,7 @@ [% INCLUDE req_table reqs = REQUIRED_MODULES new = [] updated = ['Template-Toolkit', 'Email-MIME', - 'Email-MIME-Modifier'] %] + 'Email-MIME-Modifier', 'CGI'] %] <h3><a name="v32_req_optional_mod"></a>Optional Perl Modules</h3> |