diff options
author | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
---|---|---|
committer | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
commit | 20d885c77680fc082640c0a7340be44cd02b2779 (patch) | |
tree | a7b20520a3f1e6648ed9dbb5bc72321007bace84 /Bugzilla/WebService.pm | |
parent | b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff) | |
download | bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all
Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'Bugzilla/WebService.pm')
-rwxr-xr-x | Bugzilla/WebService.pm | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 7812a237b..d1502468d 100755 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -19,6 +19,7 @@ package Bugzilla::WebService; use strict; use Bugzilla::WebService::Constants; +use Bugzilla::Util; use Date::Parse; use XMLRPC::Lite; @@ -49,7 +50,21 @@ sub handle_login { eval "require $class"; return if $class->login_exempt($method); - Bugzilla->login; + Bugzilla->login(); + + # Even though we check for the need to redirect in + # Bugzilla->login() we check here again since Bugzilla->login() + # does not know what the current XMLRPC method is. Therefore + # ssl_require_redirect in Bugzilla->login() will have returned + # false if system was configured to redirect for authenticated + # sessions and the user was not yet logged in. + # So here we pass in the method name to ssl_require_redirect so + # it can then check for the extra case where the method equals + # User.login, which we would then need to redirect if not + # over a secure connection. + my $full_method = $uri . "." . $method; + Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'}) + if ssl_require_redirect($full_method); return; } |