diff options
author | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
---|---|---|
committer | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
commit | 20d885c77680fc082640c0a7340be44cd02b2779 (patch) | |
tree | a7b20520a3f1e6648ed9dbb5bc72321007bace84 /Bugzilla/Auth | |
parent | b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff) | |
download | bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all
Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'Bugzilla/Auth')
-rw-r--r-- | Bugzilla/Auth/Login/CGI.pm | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm index 980e27123..9e008be82 100644 --- a/Bugzilla/Auth/Login/CGI.pm +++ b/Bugzilla/Auth/Login/CGI.pm @@ -65,12 +65,17 @@ sub fail_nodata { ->faultstring('Login Required'); } - # Redirect to SSL if required - if (Bugzilla->params->{'sslbase'} ne '' - and Bugzilla->params->{'ssl'} ne 'never') + # If system is not configured to never require SSL connections + # we want to always redirect to SSL since passing usernames and + # passwords over an unprotected connection is a bad idea. If we + # get here then a login form will be provided to the user so we + # want this to be protected if possible. + if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne '' + && Bugzilla->params->{'ssl'} ne 'never') { $cgi->require_https(Bugzilla->params->{'sslbase'}); } + print $cgi->header(); $template->process("account/auth/login.html.tmpl", { 'target' => $cgi->url(-relative=>1) }) |