diff options
author | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
---|---|---|
committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
commit | 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch) | |
tree | 5e3a8751012a0c99769129494d1863a3a9ca5d9f /Bugzilla/Auth/Persist/Cookie.pm | |
parent | b639a1a7f4ed58f8d30058509444e44be3095f53 (diff) | |
download | bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz |
Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection
r=dkl a=justdave
Diffstat (limited to 'Bugzilla/Auth/Persist/Cookie.pm')
-rw-r--r-- | Bugzilla/Auth/Persist/Cookie.pm | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm index 5a9857cba..6f4eac96d 100644 --- a/Bugzilla/Auth/Persist/Cookie.pm +++ b/Bugzilla/Auth/Persist/Cookie.pm @@ -54,6 +54,10 @@ sub persist_login { $dbh->bz_commit_transaction(); + # We do not want WebServices to generate login cookies. + # All we need is the login token for User.login. + return $login_cookie if i_am_webservice(); + # Prevent JavaScript from accessing login cookies. my %cookieargs = ('-httponly' => 1); |