Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param

doesn't protect WebService calls at all Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
author: dkl%redhat.com <> 2008-08-18 11:16:12 +0200
committer: dkl%redhat.com <> 2008-08-18 11:16:12 +0200
commit: 20d885c77680fc082640c0a7340be44cd02b2779 (patch)
tree: a7b20520a3f1e6648ed9dbb5bc72321007bace84 /index.cgi
parent: b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff)
download: bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz
bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/index.cgi b/index.cgi
index 100941765..89880d163 100755
--- a/index.cgi
+++ b/index.cgi
@@ -46,7 +46,9 @@ my $user = Bugzilla->login(LOGIN_OPTIONAL);
 my $cgi = Bugzilla->cgi;
 # Force to use HTTPS unless Bugzilla->params->{'ssl'} equals 'never'.
 # This is required because the user may want to log in from here.
-if (Bugzilla->params->{'sslbase'} ne '' and Bugzilla->params->{'ssl'} ne 'never') {
+if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne ''
+    && Bugzilla->params->{'ssl'} ne 'never')
+{
     $cgi->require_https(Bugzilla->params->{'sslbase'});
 }
author	dkl%redhat.com <>	2008-08-18 11:16:12 +0200
committer	dkl%redhat.com <>	2008-08-18 11:16:12 +0200
commit	20d885c77680fc082640c0a7340be44cd02b2779 (patch)
tree	a7b20520a3f1e6648ed9dbb5bc72321007bace84 /index.cgi
parent	b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff)
download	bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz