diff options
Diffstat (limited to 'Bugzilla/CGI.pm')
-rw-r--r-- | Bugzilla/CGI.pm | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 7135f7c48..7f98c1653 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -73,11 +73,22 @@ sub new { # Make sure our outgoing cookie list is empty on each invocation $self->{Bugzilla_cookie_list} = []; + # Path-Info is of no use for Bugzilla and interacts badly with IIS. + # Moreover, it causes unexpected behaviors, such as totally breaking + # the rendering of pages. + my $script = basename($0); + if ($self->path_info) { + my @whitelist; + Bugzilla::Hook::process('path_info_whitelist', { whitelist => \@whitelist }); + if (!grep($_ eq $script, @whitelist)) { + print $self->redirect($self->url(-path => 0, -query => 1)); + } + } + # Send appropriate charset $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : ''); # Redirect to urlbase/sslbase if we are not viewing an attachment. - my $script = basename($0); if ($self->url_is_attachment_base and $script ne 'attachment.cgi') { $self->redirect_to_urlbase(); } @@ -316,6 +327,10 @@ sub header { unshift(@_, '-x_frame_options' => 'SAMEORIGIN'); } + # Add X-XSS-Protection header to prevent simple XSS attacks + # and enforce the blocking (rather than the rewriting) mode. + unshift(@_, '-x_xss_protection' => '1; mode=block'); + return $self->SUPER::header(@_) || ""; } |