From 20d885c77680fc082640c0a7340be44cd02b2779 Mon Sep 17 00:00:00 2001
From: "dkl%redhat.com" <>
Date: Mon, 18 Aug 2008 09:16:12 +0000
Subject: Bug 428659 – Setting SSL param to 'authenticated sessions' only
 protects logins and param doesn't protect WebService calls at all Patch by
 David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

---
 index.cgi | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'index.cgi')

diff --git a/index.cgi b/index.cgi
index 100941765..89880d163 100755
--- a/index.cgi
+++ b/index.cgi
@@ -46,7 +46,9 @@ my $user = Bugzilla->login(LOGIN_OPTIONAL);
 my $cgi = Bugzilla->cgi;
 # Force to use HTTPS unless Bugzilla->params->{'ssl'} equals 'never'.
 # This is required because the user may want to log in from here.
-if (Bugzilla->params->{'sslbase'} ne '' and Bugzilla->params->{'ssl'} ne 'never') {
+if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne ''
+    && Bugzilla->params->{'ssl'} ne 'never')
+{
     $cgi->require_https(Bugzilla->params->{'sslbase'});
 }
 
-- 
cgit v1.2.3-24-g4f1b