diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2014-02-15 00:27:26 +0100 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-02-15 00:27:26 +0100 |
commit | 09317bf98d6100f3242150c6bd683c58d5e9793e (patch) | |
tree | 5f595201a0ccea181cd4b46d3a2ef8ec57b476f0 | |
parent | c91b8f3e0896e0e96fd4af4c4e054c45ded42fa8 (diff) | |
download | bugzilla-09317bf98d6100f3242150c6bd683c58d5e9793e.tar.gz bugzilla-09317bf98d6100f3242150c6bd683c58d5e9793e.tar.xz |
Bug 966676: The 'sudo' cookie should not be accessible from JavaScript
r=dkl a=justdave
-rwxr-xr-x | relogin.cgi | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/relogin.cgi b/relogin.cgi index e2effd105..52944a811 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -137,11 +137,18 @@ elsif ($action eq 'begin-sudo') { # For future sessions, store the unique ID of the target user my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id); + + my %args; + if (Bugzilla->params->{ssl_redirect}) { + $args{'-secure'} = 1; + } + $cgi->send_cookie('-name' => 'sudo', '-expires' => $time_string, - '-value' => $token - ); - + '-value' => $token, + '-httponly' => 1, + %args); + # For the present, change the values of Bugzilla::user & Bugzilla::sudoer Bugzilla->sudo_request($target_user, $user); |