diff options
author | lpsolit%gmail.com <> | 2009-02-02 19:21:33 +0100 |
---|---|---|
committer | lpsolit%gmail.com <> | 2009-02-02 19:21:33 +0100 |
commit | 8d70890dc0b7c24b25a344808ac4e63e6a5dd74e (patch) | |
tree | cc80d283ac39c08f00620b66a6fc991c5c3ad857 /Bugzilla/CGI.pm | |
parent | b23648ca247167be26f1b51bd592b29309ebbc63 (diff) | |
download | bugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.gz bugzilla-8d70890dc0b7c24b25a344808ac4e63e6a5dd74e.tar.xz |
Bug 38862: [SECURITY] attachments should be at a different hostname - Patch by Byron Jones <bugzilla@glob.com.au> and Frédéric Buclin <LpSolit@gmail.com> r=mkanat a=LpSolit
Diffstat (limited to 'Bugzilla/CGI.pm')
-rw-r--r-- | Bugzilla/CGI.pm | 24 |
1 files changed, 24 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 68d3ef69d..d7934f89b 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -71,6 +71,18 @@ sub new { # Send appropriate charset $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); + # Redirect to urlbase/sslbase if we are not viewing an attachment. + if (use_attachbase() && i_am_cgi()) { + my $cgi_file = $self->url('-path_info' => 0, '-query' => 0, '-relative' => 1); + $cgi_file =~ s/\?$//; + my $urlbase = Bugzilla->params->{'urlbase'}; + my $sslbase = Bugzilla->params->{'sslbase'}; + my $path_regexp = $sslbase ? qr/^(\Q$urlbase\E|\Q$sslbase\E)/ : qr/^\Q$urlbase\E/; + if ($cgi_file ne 'attachment.cgi' && $self->self_url !~ /$path_regexp/) { + $self->redirect_to_urlbase; + } + } + # Check for errors # All of the Bugzilla code wants to do this, so do it here instead of # in each script @@ -351,6 +363,14 @@ sub require_https { exit; } +# Redirect to the urlbase version of the current URL. +sub redirect_to_urlbase { + my $self = shift; + my $path = $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1); + print $self->redirect('-location' => correct_urlbase() . $path); + exit; +} + 1; __END__ @@ -421,6 +441,10 @@ If the client is using XMLRPC, it will not retain the QUERY_STRING since XMLRPC It takes an optional argument which will be used as the base URL. If $baseurl is not provided, the current URL is used. +=item C<redirect_to_urlbase> + +Redirects from the current URL to one prefixed by the urlbase parameter. + =back =head1 SEE ALSO |