Patch for bug 260682: Support redirecting to HTTPS always or for authenticated sessions only; patch by Byron Jones (glob) <bugzilla@glob.com.au>, r=vladd, a=myk.

1 files changed, 28 insertions, 0 deletions

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index e81cf5da8..ce0a8ab6c 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -52,6 +52,11 @@ sub new {
     # Make sure that we don't send any charset headers
     $self->charset('');
 
+    # Redirect to SSL if required
+    if (Param('sslbase') ne '' and Param('ssl') eq 'always') {
+        $self->require_https(Param('sslbase'));
+    }
+
     # Check for errors
     # All of the Bugzilla code wants to do this, so do it here instead of
     # in each script
@@ -185,6 +190,21 @@ sub send_cookie {
     return;
 }
 
+# Redirect to https if required
+sub require_https {
+    my $self = shift;
+    if ($self->protocol ne 'https') {
+        my $url = shift;
+        if (defined $url) {
+            $url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1);
+        } else {
+            $url = $self->self_url;
+            $url =~ s/^http:/https:/i;
+        }
+        print $self->redirect(-location => $url);
+        exit;
+    }
+}
 
 1;
 
@@ -238,6 +258,14 @@ Bugzilla code (instead of C<cookie> or the C<-cookie> argument to C<header>),
 so that under mod_perl the headers can be sent correctly, using C<print> or
 the mod_perl APIs as appropriate.
 
+=item C<require_https($baseurl)>
+
+This routine checks if the current page is being served over https, and
+redirects to the https protocol if required, retaining QUERY_STRING.
+
+It takes an option argument which will be used as the base URL.  If $baseurl
+is not provided, the current URL is used.
+
 =back
 
 =head1 SEE ALSO