diff options
| author | dkl%redhat.com <> | 2008-07-10 11:56:11 +0200 |
|---|---|---|
| committer | dkl%redhat.com <> | 2008-07-10 11:56:11 +0200 |
| commit | a7e7ed0f3a1d29800187a216b0363e0276d2f4ec (patch) | |
| tree | 3a432943e95f96181b967935b22b89c8837839dd /Bugzilla/CGI.pm | |
| parent | 19cb881523a402a9c5feea49d84f991e7d2dc76c (diff) | |
| download | bugzilla-a7e7ed0f3a1d29800187a216b0363e0276d2f4ec.tar.gz bugzilla-a7e7ed0f3a1d29800187a216b0363e0276d2f4ec.tar.xz | |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all
Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat
Diffstat (limited to 'Bugzilla/CGI.pm')
| -rw-r--r-- | Bugzilla/CGI.pm | 30 |
1 files changed, 15 insertions, 15 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index aeb8419ca..4c62ab3ac 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -72,9 +72,8 @@ sub new { $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); # Redirect to SSL if required - if (Bugzilla->params->{'sslbase'} ne '' - && Bugzilla->params->{'ssl'} eq 'always' - && i_am_cgi()) + if (i_am_cgi() && Bugzilla->usage_mode != USAGE_MODE_WEBSERVICE + && ssl_require_redirect()) { $self->require_https(Bugzilla->params->{'sslbase'}); } @@ -297,18 +296,19 @@ sub remove_cookie { # Redirect to https if required sub require_https { - my $self = shift; - if ($self->protocol ne 'https') { - my $url = shift; - if (defined $url) { - $url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1); - } else { - $url = $self->self_url; - $url =~ s/^http:/https:/i; - } - print $self->redirect(-location => $url); - exit; + my ($self, $url) = @_; + # Do not create query string if data submitted via XMLRPC + my $query = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 0 : 1; + # XMLRPC clients (SOAP::Lite at least) requires 301 to redirect properly + my $status = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 301 : 302; + if (defined $url) { + $url .= $self->url('-path_info' => 1, '-query' => $query, '-relative' => 1); + } else { + $url = $self->self_url; + $url =~ s/^http:/https:/i; } + print $self->redirect(-location => $url, -status => $status). "\n"; + exit; } 1; @@ -378,7 +378,7 @@ As its only argument, it takes the name of the cookie to expire. This routine checks if the current page is being served over https, and redirects to the https protocol if required, retaining QUERY_STRING. -It takes an option argument which will be used as the base URL. If $baseurl +It takes an optional argument which will be used as the base URL. If $baseurl is not provided, the current URL is used. =back |