From 0e390970ba51b14a5dc780be7c6f0d6d7baa67e3 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Thu, 17 Apr 2014 18:11:12 +0200
Subject: Bug 713926: (CVE-2014-1517) [SECURITY] Login form lacks CSRF
 protection r=dkl a=justdave

---
 Bugzilla/WebService.pm | 38 +++++++++++++++++---------------------
 1 file changed, 17 insertions(+), 21 deletions(-)

(limited to 'Bugzilla/WebService.pm')

diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm
index 9638d1132..ebad7930a 100644
--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -141,9 +141,7 @@ There are various ways to log in:
 =item C<User.login>
 
 You can use L<Bugzilla::WebService::User/login> to log in as a Bugzilla
-user. This issues standard HTTP cookies that you must then use in future
-calls, so your client must be capable of receiving and transmitting
-cookies.
+user. This issues a token that you must then use in future calls.
 
 =item C<Bugzilla_login> and C<Bugzilla_password>
 
@@ -163,30 +161,28 @@ WebService method to perform a login:
 =item C<Bugzilla_restrictlogin> (boolean) - Optional. If true,
 then your login will only be valid for your IP address.
 
-=item C<Bugzilla_rememberlogin> (boolean) - Optional. If true,
-then the cookie sent back to you with the method response will
-not expire.
-
 =back
 
-The C<Bugzilla_restrictlogin> and C<Bugzilla_rememberlogin> options
-are only used when you have also specified C<Bugzilla_login> and
-C<Bugzilla_password>.
-
-Note that Bugzilla will return HTTP cookies along with the method
-response when you use these arguments (just like the C<User.login> method
-above).
+The C<Bugzilla_restrictlogin> option is only used when you have also
+specified C<Bugzilla_login> and C<Bugzilla_password>.
 
-For REST, you may also use the C<username> and C<password> variable
+For REST, you may also use the C<login> and C<password> variable
 names instead of C<Bugzilla_login> and C<Bugzilla_password> as a
-convenience.
+convenience. You may also use C<token> instead of C<Bugzilla_token>.
+
+=item C<Bugzilla_token>
+
+B<Added in Bugzilla 5.0>
+
+You can specify C<Bugzilla_token> as argument to any WebService method,
+and you will be logged in as that user if the token is correct. This is
+the token returned when calling C<User.login> mentioned above.
 
-=item B<Added in Bugzilla 5.0>
+An error is thrown if you pass an invalid token and you will need to log
+in again to get a new token.
 
-An error is now thrown if you pass invalid cookies or an invalid token.
-You will need to log in again to get new cookies or a new token. Previous
-releases simply ignored invalid cookies and token support was added in
-Bugzilla B<5.0>.
+Token support was added in Bugzilla B<5.0> and support for login cookies
+has been dropped for security reasons.
 
 =back
 
-- 
cgit v1.2.3-24-g4f1b