From 20d885c77680fc082640c0a7340be44cd02b2779 Mon Sep 17 00:00:00 2001 From: "dkl%redhat.com" <> Date: Mon, 18 Aug 2008 09:16:12 +0000 Subject: Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all Patch by David Lawrence - r/a=LpSolit/mkanat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla.pm | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'Bugzilla.pm') diff --git a/Bugzilla.pm b/Bugzilla.pm index a20aa0f6b..abba18924 100644 --- a/Bugzilla.pm +++ b/Bugzilla.pm @@ -270,6 +270,14 @@ sub login { else { $class->set_user($authenticated_user); } + + # We run after the login has completed since + # some of the checks in ssl_require_redirect + # look for Bugzilla->user->id to determine + # if redirection is required. + if (i_am_cgi() && ssl_require_redirect()) { + $class->cgi->require_https($class->params->{'sslbase'}); + } return $class->user; } -- cgit v1.2.3-24-g4f1b