diff options
| author | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-04-17 18:11:12 +0200 |
| commit | 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 (patch) | |
| tree | 5e3a8751012a0c99769129494d1863a3a9ca5d9f /Bugzilla/WebService.pm | |
| parent | b639a1a7f4ed58f8d30058509444e44be3095f53 (diff) | |
| download | bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.gz bugzilla-0e390970ba51b14a5dc780be7c6f0d6d7baa67e3.tar.xz | |
Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF protection
r=dkl a=justdave
Diffstat (limited to 'Bugzilla/WebService.pm')
| -rw-r--r-- | Bugzilla/WebService.pm | 38 |
1 files changed, 17 insertions, 21 deletions
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 9638d1132..ebad7930a 100644 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -141,9 +141,7 @@ There are various ways to log in: =item C<User.login> You can use L<Bugzilla::WebService::User/login> to log in as a Bugzilla -user. This issues standard HTTP cookies that you must then use in future -calls, so your client must be capable of receiving and transmitting -cookies. +user. This issues a token that you must then use in future calls. =item C<Bugzilla_login> and C<Bugzilla_password> @@ -163,30 +161,28 @@ WebService method to perform a login: =item C<Bugzilla_restrictlogin> (boolean) - Optional. If true, then your login will only be valid for your IP address. -=item C<Bugzilla_rememberlogin> (boolean) - Optional. If true, -then the cookie sent back to you with the method response will -not expire. - =back -The C<Bugzilla_restrictlogin> and C<Bugzilla_rememberlogin> options -are only used when you have also specified C<Bugzilla_login> and -C<Bugzilla_password>. - -Note that Bugzilla will return HTTP cookies along with the method -response when you use these arguments (just like the C<User.login> method -above). +The C<Bugzilla_restrictlogin> option is only used when you have also +specified C<Bugzilla_login> and C<Bugzilla_password>. -For REST, you may also use the C<username> and C<password> variable +For REST, you may also use the C<login> and C<password> variable names instead of C<Bugzilla_login> and C<Bugzilla_password> as a -convenience. +convenience. You may also use C<token> instead of C<Bugzilla_token>. + +=item C<Bugzilla_token> + +B<Added in Bugzilla 5.0> + +You can specify C<Bugzilla_token> as argument to any WebService method, +and you will be logged in as that user if the token is correct. This is +the token returned when calling C<User.login> mentioned above. -=item B<Added in Bugzilla 5.0> +An error is thrown if you pass an invalid token and you will need to log +in again to get a new token. -An error is now thrown if you pass invalid cookies or an invalid token. -You will need to log in again to get new cookies or a new token. Previous -releases simply ignored invalid cookies and token support was added in -Bugzilla B<5.0>. +Token support was added in Bugzilla B<5.0> and support for login cookies +has been dropped for security reasons. =back |