summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2006-02-21 09:19:25 +0100
committerlpsolit%gmail.com <>2006-02-21 09:19:25 +0100
commitc401ba318f9dcd511b8aad742f09680b79cec135 (patch)
tree6eec060d71a51ea2df06055443f8d50c606537a8
parentc738859a411c63f64fa931a5275111aeb9d90fd8 (diff)
downloadbugzilla-c401ba318f9dcd511b8aad742f09680b79cec135.tar.gz
bugzilla-c401ba318f9dcd511b8aad742f09680b79cec135.tar.xz
[SECURITY] Bug 325079: The login form on the Bugzilla home page may redirect your login and password to another site - Patch by Frédéric Buclin <LpSolit@gmail.com> r=myk a=justdave
-rw-r--r--template/en/default/account/auth/login-small.html.tmpl14
1 files changed, 13 insertions, 1 deletions
diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 85802a771..a6e3b6ddb 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -21,7 +21,19 @@
[% PROCESS global/variables.none.tmpl %]
-<form name="login" action="[% cgi.script_name FILTER html %]" method="POST">
+[%# Use the current script name. If an empty name is retuned,
+ # then we are accessing the home page. %]
+
+[% script_name = cgi.url(Relative => 1) %]
+
+[%# If SSL is in use, use 'sslbase', else use 'urlbase'. %]
+[% IF Param("sslbase") != "" && Param("ssl") != "never" %]
+ [% script_name = Param("sslbase") _ script_name %]
+[% ELSE %]
+ [% script_name = Param("urlbase") _ script_name %]
+[% END %]
+
+<form name="login" action="[% script_name FILTER html %]" method="POST">
<table>
<tr>
<td align="right"><b>Login:</b></td>