diff options
| author | dkl%redhat.com <> | 2008-07-10 11:56:11 +0200 |
|---|---|---|
| committer | dkl%redhat.com <> | 2008-07-10 11:56:11 +0200 |
| commit | a7e7ed0f3a1d29800187a216b0363e0276d2f4ec (patch) | |
| tree | 3a432943e95f96181b967935b22b89c8837839dd /Bugzilla/Util.pm | |
| parent | 19cb881523a402a9c5feea49d84f991e7d2dc76c (diff) | |
| download | bugzilla-a7e7ed0f3a1d29800187a216b0363e0276d2f4ec.tar.gz bugzilla-a7e7ed0f3a1d29800187a216b0363e0276d2f4ec.tar.xz | |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all
Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat
Diffstat (limited to 'Bugzilla/Util.pm')
| -rw-r--r-- | Bugzilla/Util.pm | 22 |
1 files changed, 21 insertions, 1 deletions
diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index e7a76e21d..8e521c24a 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -36,7 +36,7 @@ use base qw(Exporter); html_quote url_quote xml_quote css_class_quote html_light_quote url_decode i_am_cgi get_netaddr correct_urlbase - lsearch + lsearch ssl_require_redirect diff_arrays diff_strings trim wrap_hard wrap_comment find_wrap_point format_time format_time_decimal validate_date @@ -218,6 +218,26 @@ sub i_am_cgi { return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0; } +sub ssl_require_redirect { + my $method = shift; + + # Redirect to SSL if required. + if (!(uc($ENV{HTTPS}) eq 'ON' || $ENV{'SERVER_PORT'} == 443) + && Bugzilla->params->{'sslbase'} ne '') + { + if (Bugzilla->params->{'ssl'} eq 'always' + || (Bugzilla->params->{'ssl'} eq 'authenticated sessions' + && Bugzilla->user->id) + || (Bugzilla->params->{'ssl'} eq 'authenticated sessions' + && !Bugzilla->user->id && $method eq 'User.login')) + { + return 1; + } + } + + return 0; +} + sub correct_urlbase { my $ssl = Bugzilla->params->{'ssl'}; return Bugzilla->params->{'urlbase'} if $ssl eq 'never'; |