summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorFrédéric Buclin <LpSolit@gmail.com>2014-02-15 00:27:26 +0100
committerFrédéric Buclin <LpSolit@gmail.com>2014-02-15 00:27:26 +0100
commit09317bf98d6100f3242150c6bd683c58d5e9793e (patch)
tree5f595201a0ccea181cd4b46d3a2ef8ec57b476f0
parentc91b8f3e0896e0e96fd4af4c4e054c45ded42fa8 (diff)
downloadbugzilla-09317bf98d6100f3242150c6bd683c58d5e9793e.tar.gz
bugzilla-09317bf98d6100f3242150c6bd683c58d5e9793e.tar.xz
Bug 966676: The 'sudo' cookie should not be accessible from JavaScript
r=dkl a=justdave
-rwxr-xr-xrelogin.cgi13
1 files changed, 10 insertions, 3 deletions
diff --git a/relogin.cgi b/relogin.cgi
index e2effd105..52944a811 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -137,11 +137,18 @@ elsif ($action eq 'begin-sudo') {
# For future sessions, store the unique ID of the target user
my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id);
+
+ my %args;
+ if (Bugzilla->params->{ssl_redirect}) {
+ $args{'-secure'} = 1;
+ }
+
$cgi->send_cookie('-name' => 'sudo',
'-expires' => $time_string,
- '-value' => $token
- );
-
+ '-value' => $token,
+ '-httponly' => 1,
+ %args);
+
# For the present, change the values of Bugzilla::user & Bugzilla::sudoer
Bugzilla->sudo_request($target_user, $user);