summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorlpsolit%gmail.com <>2008-08-27 08:08:50 +0200
committerlpsolit%gmail.com <>2008-08-27 08:08:50 +0200
commitfe1592095525f8622fcbceae6ae926634c096ec3 (patch)
tree3c040ce51b0e12cb8b0dc12e0f13b9acee9847dc
parenta2631d18069f099eb5133c4484c9b80ff2a3f547 (diff)
downloadbugzilla-fe1592095525f8622fcbceae6ae926634c096ec3.tar.gz
bugzilla-fe1592095525f8622fcbceae6ae926634c096ec3.tar.xz
Bug 449984: Login cookies should be created as SSL-only on installations that require SSL - Patch by Frédéric Buclin <LpSolit@gmail.com> r/a=mkanat
-rw-r--r--Bugzilla/Auth/Persist/Cookie.pm33
1 files changed, 18 insertions, 15 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 4928068e5..9098f8989 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -67,6 +67,9 @@ sub persist_login {
VALUES (?, ?, ?, NOW())",
undef, $login_cookie, $user->id, $ip_addr);
+ # Prevent JavaScript from accessing login cookies.
+ my %cookieargs = ('-httponly' => 1);
+
# Remember cookie only if admin has told so
# or admin didn't forbid it and user told to remember.
if ( Bugzilla->params->{'rememberlogin'} eq 'on' ||
@@ -74,23 +77,23 @@ sub persist_login {
$cgi->param('Bugzilla_remember') &&
$cgi->param('Bugzilla_remember') eq 'on') )
{
- $cgi->send_cookie(-name => 'Bugzilla_login',
- -value => $user->id,
- -httponly => 1,
- -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
- $cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -value => $login_cookie,
- -httponly => 1,
- -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
+ # Not a session cookie, so set an infinite expiry
+ $cookieargs{'-expires'} = 'Fri, 01-Jan-2038 00:00:00 GMT';
}
- else {
- $cgi->send_cookie(-name => 'Bugzilla_login',
- -value => $user->id,
- -httponly => 1);
- $cgi->send_cookie(-name => 'Bugzilla_logincookie',
- -value => $login_cookie,
- -httponly => 1);
+ if (Bugzilla->params->{'ssl'} ne 'never'
+ && Bugzilla->params->{'sslbase'} ne '')
+ {
+ # Bugzilla->login will automatically redirect to https://,
+ # so it's safe to turn on the 'secure' bit.
+ $cookieargs{'-secure'} = 1;
}
+
+ $cgi->send_cookie(-name => 'Bugzilla_login',
+ -value => $user->id,
+ %cookieargs);
+ $cgi->send_cookie(-name => 'Bugzilla_logincookie',
+ -value => $login_cookie,
+ %cookieargs);
}
sub logout {