diff options
author | David Lawrence <dkl@mozilla.com> | 2014-11-04 04:11:09 +0100 |
---|---|---|
committer | Byron Jones <glob@mozilla.com> | 2014-11-04 04:11:09 +0100 |
commit | 4e1941fedbe46bafce9aded3a0a38d272fec37a2 (patch) | |
tree | 633351ada50932ec6b747705b95e0bd04e39f05e /Bugzilla/CGI.pm | |
parent | d6ee5ade172abe24389aca15eba9fe922b5697c7 (diff) | |
download | bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.gz bugzilla-4e1941fedbe46bafce9aded3a0a38d272fec37a2.tar.xz |
Bug 1090427: Backport bug 713926 to bmo/4.2 to protect against csrf for login forms
Diffstat (limited to 'Bugzilla/CGI.pm')
-rw-r--r-- | Bugzilla/CGI.pm | 13 |
1 files changed, 13 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index a12fb284b..552da28ea 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -331,6 +331,7 @@ sub close_standby_message { # Override header so we can add the cookies in sub header { my $self = shift; + my $user = Bugzilla->user; # If there's only one parameter, then it's a Content-Type. if (scalar(@_) == 1) { @@ -338,6 +339,18 @@ sub header { unshift(@_, '-type' => shift(@_)); } + if (!$user->id && $user->authorizer->can_login + && !$self->cookie('Bugzilla_login_request_cookie')) + { + my %args; + $args{'-secure'} = 1 if Bugzilla->params->{ssl_redirect}; + + $self->send_cookie(-name => 'Bugzilla_login_request_cookie', + -value => generate_random_password(), + -httponly => 1, + %args); + } + # Add the cookies in if we have any if (scalar(@{$self->{Bugzilla_cookie_list}})) { unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list}); |