diff options
| author | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
|---|---|---|
| committer | dkl%redhat.com <> | 2008-08-18 11:16:12 +0200 |
| commit | 20d885c77680fc082640c0a7340be44cd02b2779 (patch) | |
| tree | a7b20520a3f1e6648ed9dbb5bc72321007bace84 /token.cgi | |
| parent | b3e936bf2bbc1fb1ec55732703650d9f78dfd5f0 (diff) | |
| download | bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.xz | |
Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all
Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'token.cgi')
| -rwxr-xr-x | token.cgi | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -346,8 +346,9 @@ sub request_create_account { $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'}; $vars->{'date'} = str2time($date); - # We require a HTTPS connection if possible. - if (Bugzilla->params->{'sslbase'} ne '' + # When 'ssl' equals 'always' or 'authenticated sessions', + # we want this form to always be over SSL. + if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne '' && Bugzilla->params->{'ssl'} ne 'never') { $cgi->require_https(Bugzilla->params->{'sslbase'}); |