diff options
| author | mkanat%bugzilla.org <> | 2009-10-24 07:22:45 +0200 |
|---|---|---|
| committer | mkanat%bugzilla.org <> | 2009-10-24 07:22:45 +0200 |
| commit | f9cd15c79202a50d7c0a3f9aa8de45c2c23cdb49 (patch) | |
| tree | 8a45972d5cc074cd689c1a6215ebc5cbfa72ed2c /Bugzilla | |
| parent | a2dd3b00284fd4724d3408274cb1156c7a77d187 (diff) | |
| download | bugzilla-f9cd15c79202a50d7c0a3f9aa8de45c2c23cdb49.tar.gz bugzilla-f9cd15c79202a50d7c0a3f9aa8de45c2c23cdb49.tar.xz | |
Bug 523495: Re-work attachment.cgi and the general attachment_base-checking code to prevent an infinite redirect loop when ssl_redirect is on and Bugzilla has an attachment_base set.
Patch by Max Kanat-Alexander <mkanat@bugzilla.org> r=LpSolit, a=LpSolit
Diffstat (limited to 'Bugzilla')
| -rw-r--r-- | Bugzilla/CGI.pm | 36 |
1 files changed, 27 insertions, 9 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index c30e13618..8c68f996c 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -28,6 +28,8 @@ use Bugzilla::Constants; use Bugzilla::Error; use Bugzilla::Util; +use File::Basename; + BEGIN { if (ON_WINDOWS) { # Help CGI find the correct temp directory as the default list @@ -71,15 +73,9 @@ sub new { $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); # Redirect to urlbase/sslbase if we are not viewing an attachment. - if (use_attachbase() && i_am_cgi()) { - my $cgi_file = $self->url('-path_info' => 0, '-query' => 0, '-relative' => 1); - $cgi_file =~ s/\?$//; - my $urlbase = Bugzilla->params->{'urlbase'}; - my $sslbase = Bugzilla->params->{'sslbase'}; - my $path_regexp = $sslbase ? qr/^(\Q$urlbase\E|\Q$sslbase\E)/ : qr/^\Q$urlbase\E/; - if ($cgi_file ne 'attachment.cgi' && $self->self_url !~ /$path_regexp/) { - $self->redirect_to_urlbase; - } + my $script = basename($0); + if ($self->url_is_attachment_base and $script ne 'attachment.cgi') { + $self->redirect_to_urlbase(); } # Check for errors @@ -398,6 +394,28 @@ sub redirect_to_urlbase { exit; } +sub url_is_attachment_base { + my ($self, $id) = @_; + return 0 if !use_attachbase() or !i_am_cgi(); + my $attach_base = Bugzilla->params->{'attachment_base'}; + # If we're passed an id, we only want one specific attachment base + # for a particular bug. If we're not passed an ID, we just want to + # know if our current URL matches the attachment_base *pattern*. + my $regex; + if ($id) { + $attach_base =~ s/\%bugid\%/$id/; + $regex = quotemeta($attach_base); + } + else { + # In this circumstance we run quotemeta first because we need to + # insert an active regex meta-character afterward. + $regex = quotemeta($attach_base); + $regex =~ s/\\\%bugid\\\%/\\d+/; + } + $regex = "^$regex"; + return ($self->self_url =~ $regex) ? 1 : 0; +} + 1; __END__ |