summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--CGI.pl12
-rwxr-xr-xprocess_bug.cgi10
2 files changed, 17 insertions, 5 deletions
diff --git a/CGI.pl b/CGI.pl
index 0980366bd..138e52414 100644
--- a/CGI.pl
+++ b/CGI.pl
@@ -20,6 +20,7 @@
# Contributor(s): Terry Weissman <terry@mozilla.org>
# Dan Mosedale <dmose@mozilla.org>
# Joe Robins <jmrobins@tgix.com>
+# Dave Miller <justdave@syndicomm.com>
# Contains some global routines used throughout the CGI scripts of Bugzilla.
@@ -914,9 +915,14 @@ Content-type: text/html
$nexturl = $&;
}
my $method = "POST";
- if (defined $ENV{"REQUEST_METHOD"} && length($::buffer) > 1) {
- $method = $ENV{"REQUEST_METHOD"};
- }
+# We always want to use POST here, because we're submitting a password and don't
+# want to see it in the location bar in the browser in case a co-worker is looking
+# over your shoulder. If you have cookies off and need to bookmark the query, you
+# can bookmark it from the screen asking for your password, and it should still
+# work. See http://bugzilla.mozilla.org/show_bug.cgi?id=15980
+# if (defined $ENV{"REQUEST_METHOD"} && length($::buffer) > 1) {
+# $method = $ENV{"REQUEST_METHOD"};
+# }
print "
<FORM action=$nexturl method=$method>
<table>
diff --git a/process_bug.cgi b/process_bug.cgi
index 81f6846b8..1b02b7b0c 100755
--- a/process_bug.cgi
+++ b/process_bug.cgi
@@ -724,8 +724,14 @@ The changes made were:
$::FORM{'delta_ts'} = $delta_ts;
print "<li><form method=post>";
foreach my $i (keys %::FORM) {
- my $value = value_quote($::FORM{$i});
- print qq{<input type=hidden name="$i" value="$value">\n};
+ # Make sure we don't include the username/password fields in the
+ # HTML. If cookies are off, they'll have to reauthenticate after
+ # hitting "submit changes anyway".
+ # see http://bugzilla.mozilla.org/show_bug.cgi?id=15980
+ if ($i !~ /^(Bugzilla|LDAP)_(login|password)$/) {
+ my $value = value_quote($::FORM{$i});
+ print qq{<input type=hidden name="$i" value="$value">\n};
+ }
}
print qq{<input type=submit value="Submit my changes anyway">\n};
print " This will cause all of the above changes to be overwritten";