From dfb688869062b955488057144eaa99f5c91cea28 Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Sun, 5 Mar 2017 19:50:01 -0500 Subject: Bug 1342795 - When urlbase is https, force the secure flag to be set on cookies. --- Bugzilla/CGI.pm | 5 ++++- Bugzilla/Util.pm | 1 + 2 files changed, 5 insertions(+), 1 deletion(-) diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index 14a9a5720..edfc7ba70 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -332,7 +332,10 @@ sub header { && !$self->cookie('Bugzilla_login_request_cookie')) { my %args; - $args{'-secure'} = 1 if Bugzilla->params->{ssl_redirect}; + my $params = Bugzilla->params; + if ($params->{ssl_redirect} || $params->{urlbase} =~ /^https/i) { + $args{'-secure'} = 1; + } $self->send_cookie(-name => 'Bugzilla_login_request_cookie', -value => generate_random_password(), diff --git a/Bugzilla/Util.pm b/Bugzilla/Util.pm index d2be18431..fcd4aff91 100644 --- a/Bugzilla/Util.pm +++ b/Bugzilla/Util.pm @@ -272,6 +272,7 @@ sub i_am_webservice { # (doing so can mess up XML-RPC). sub do_ssl_redirect_if_required { return if !i_am_cgi(); + return if Bugzilla->params->{urlbase} =~ /^https/i; return if !Bugzilla->params->{'ssl_redirect'}; return if !Bugzilla->params->{'sslbase'}; -- cgit v1.2.3-24-g4f1b