From 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 17 Apr 2014 18:11:12 +0200
Subject: Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF
 protection r=dkl a=justdave

---
 Bugzilla/Auth/Persist/Cookie.pm | 4 ++++
 1 file changed, 4 insertions(+)

(limited to 'Bugzilla/Auth/Persist')

diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 5a9857cba..6f4eac96d 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -54,6 +54,10 @@ sub persist_login {
 
     $dbh->bz_commit_transaction();
 
+    # We do not want WebServices to generate login cookies.
+    # All we need is the login token for User.login.
+    return $login_cookie if i_am_webservice();
+
     # Prevent JavaScript from accessing login cookies.
     my %cookieargs = ('-httponly' => 1);
 
-- 
cgit v1.2.3-24-g4f1b