diff options
| author | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
|---|---|---|
| committer | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
| commit | 20d885c77680fc082640c0a7340be44cd02b2779 (patch) | |
| tree | a7b20520a3f1e6648ed9dbb5bc72321007bace84 /Bugzilla/Util.pm | |
| parent | b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff) | |
| download | bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz | |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all
Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'Bugzilla/Util.pm')
| -rw-r--r-- | Bugzilla/Util.pm | 42 |
1 files changed, 41 insertions, 1 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index e7a76e21d..1e7dbf8d1 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -36,7 +36,7 @@ use base qw(Exporter); html_quote url_quote xml_quote css_class_quote html_light_quote url_decode i_am_cgi get_netaddr correct_urlbase - lsearch + lsearch ssl_require_redirect diff_arrays diff_strings trim wrap_hard wrap_comment find_wrap_point format_time format_time_decimal validate_date @@ -218,6 +218,46 @@ sub i_am_cgi { return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0; } +sub ssl_require_redirect { + my $method = shift; + + # If currently not in a protected SSL + # connection, determine if a redirection is + # needed based on value in Bugzilla->params->{ssl}. + # If we are already in a protected connection or + # sslbase is not set then no action is required. + if (uc($ENV{'HTTPS'}) ne 'ON' + && $ENV{'SERVER_PORT'} != 443 + && Bugzilla->params->{'sslbase'} ne '') + { + # System is configured to never require SSL + # so no redirection is needed. + return 0 + if Bugzilla->params->{'ssl'} eq 'never'; + + # System is configured to always require a SSL + # connection so we need to redirect. + return 1 + if Bugzilla->params->{'ssl'} eq 'always'; + + # System is configured such that if we are inside + # of an authenticated session, then we need to make + # sure that all of the connections are over SSL. Non + # authenticated sessions SSL is not mandatory. + # For XMLRPC requests, if the method is User.login + # then we always want the connection to be over SSL + # if the system is configured for authenticated + # sessions since the user's username and password + # will be passed before the user is logged in. + return 1 + if Bugzilla->params->{'ssl'} eq 'authenticated sessions' + && (Bugzilla->user->id + || (defined $method && $method eq 'User.login')); + } + + return 0; +} + sub correct_urlbase { my $ssl = Bugzilla->params->{'ssl'}; return Bugzilla->params->{'urlbase'} if $ssl eq 'never'; |