summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth
diff options
context:
space:
mode:
authordkl%redhat.com <>2008-08-18 11:16:12 +0200
committerdkl%redhat.com <>2008-08-18 11:16:12 +0200
commit20d885c77680fc082640c0a7340be44cd02b2779 (patch)
treea7b20520a3f1e6648ed9dbb5bc72321007bace84 /Bugzilla/Auth
parentb3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff)
downloadbugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz
bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz
Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'Bugzilla/Auth')
-rw-r--r--Bugzilla/Auth/Login/CGI.pm11
1 files changed, 8 insertions, 3 deletions
diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm
index 980e27123..9e008be82 100644
--- a/Bugzilla/Auth/Login/CGI.pm
+++ b/Bugzilla/Auth/Login/CGI.pm
@@ -65,12 +65,17 @@ sub fail_nodata {
->faultstring('Login Required');
}
- # Redirect to SSL if required
- if (Bugzilla->params->{'sslbase'} ne ''
- and Bugzilla->params->{'ssl'} ne 'never')
+ # If system is not configured to never require SSL connections
+ # we want to always redirect to SSL since passing usernames and
+ # passwords over an unprotected connection is a bad idea. If we
+ # get here then a login form will be provided to the user so we
+ # want this to be protected if possible.
+ if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne ''
+ && Bugzilla->params->{'ssl'} ne 'never')
{
$cgi->require_https(Bugzilla->params->{'sslbase'});
}
+
print $cgi->header();
$template->process("account/auth/login.html.tmpl",
{ 'target' => $cgi->url(-relative=>1) })