From 20d885c77680fc082640c0a7340be44cd02b2779 Mon Sep 17 00:00:00 2001 From: "dkl%redhat.com" <> Date: Mon, 18 Aug 2008 09:16:12 +0000 Subject: Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all Patch by David Lawrence - r/a=LpSolit/mkanat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- Bugzilla/WebService.pm | 17 ++++++++++++++++- 1 file changed, 16 insertions(+), 1 deletion(-) (limited to 'Bugzilla/WebService.pm') diff --git a/Bugzilla/WebService.pm b/Bugzilla/WebService.pm index 7812a237b..d1502468d 100755 --- a/Bugzilla/WebService.pm +++ b/Bugzilla/WebService.pm @@ -19,6 +19,7 @@ package Bugzilla::WebService; use strict; use Bugzilla::WebService::Constants; +use Bugzilla::Util; use Date::Parse; use XMLRPC::Lite; @@ -49,7 +50,21 @@ sub handle_login { eval "require $class"; return if $class->login_exempt($method); - Bugzilla->login; + Bugzilla->login(); + + # Even though we check for the need to redirect in + # Bugzilla->login() we check here again since Bugzilla->login() + # does not know what the current XMLRPC method is. Therefore + # ssl_require_redirect in Bugzilla->login() will have returned + # false if system was configured to redirect for authenticated + # sessions and the user was not yet logged in. + # So here we pass in the method name to ssl_require_redirect so + # it can then check for the extra case where the method equals + # User.login, which we would then need to redirect if not + # over a secure connection. + my $full_method = $uri . "." . $method; + Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'}) + if ssl_require_redirect($full_method); return; } -- cgit v1.2.3-24-g4f1b