From a7e7ed0f3a1d29800187a216b0363e0276d2f4ec Mon Sep 17 00:00:00 2001
From: "dkl%redhat.com" <>
Date: Thu, 10 Jul 2008 09:56:11 +0000
Subject: Bug 428659 – Setting SSL param to 'authenticated sessions' only
 protects logins and param doesn't protect WebService calls at all Patch by
 Dave Lawrence <dkl@redhat.com> - r/a=mkanat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 Bugzilla/CGI.pm | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

(limited to 'Bugzilla/CGI.pm')

diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index aeb8419ca..4c62ab3ac 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -72,9 +72,8 @@ sub new {
     $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : '');
 
     # Redirect to SSL if required
-    if (Bugzilla->params->{'sslbase'} ne ''
-        && Bugzilla->params->{'ssl'} eq 'always'
-        && i_am_cgi())
+    if (i_am_cgi() && Bugzilla->usage_mode != USAGE_MODE_WEBSERVICE 
+        && ssl_require_redirect()) 
     {
         $self->require_https(Bugzilla->params->{'sslbase'});
     }
@@ -297,18 +296,19 @@ sub remove_cookie {
 
 # Redirect to https if required
 sub require_https {
-    my $self = shift;
-    if ($self->protocol ne 'https') {
-        my $url = shift;
-        if (defined $url) {
-            $url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1);
-        } else {
-            $url = $self->self_url;
-            $url =~ s/^http:/https:/i;
-        }
-        print $self->redirect(-location => $url);
-        exit;
+    my ($self, $url) = @_;
+    # Do not create query string if data submitted via XMLRPC
+    my $query = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 0 : 1;
+    # XMLRPC clients (SOAP::Lite at least) requires 301 to redirect properly
+    my $status = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 301 : 302;
+    if (defined $url) {
+        $url .= $self->url('-path_info' => 1, '-query' => $query, '-relative' => 1);
+    } else {
+        $url = $self->self_url;
+        $url =~ s/^http:/https:/i;
     }
+    print $self->redirect(-location => $url, -status => $status). "\n";
+    exit;
 }
 
 1;
@@ -378,7 +378,7 @@ As its only argument, it takes the name of the cookie to expire.
 This routine checks if the current page is being served over https, and
 redirects to the https protocol if required, retaining QUERY_STRING.
 
-It takes an option argument which will be used as the base URL.  If $baseurl
+It takes an optional argument which will be used as the base URL.  If $baseurl
 is not provided, the current URL is used.
 
 =back
-- 
cgit v1.2.3-24-g4f1b