From 82b6c8305d7bdce96e5569de113d45f040d4acb7 Mon Sep 17 00:00:00 2001
From: Frédéric Buclin <LpSolit@gmail.com>
Date: Mon, 17 Feb 2014 14:43:44 +0800
Subject: Bug 966676: The 'sudo' cookie should not be accessible from
 JavaScript

---
 relogin.cgi | 13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

(limited to 'relogin.cgi')

diff --git a/relogin.cgi b/relogin.cgi
index 07796f9f6..295d199c5 100755
--- a/relogin.cgi
+++ b/relogin.cgi
@@ -152,11 +152,18 @@ elsif ($action eq 'begin-sudo') {
 
     # For future sessions, store the unique ID of the target user
     my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id);
+
+    my %args;
+    if (Bugzilla->params->{ssl_redirect}) {
+        $args{'-secure'} = 1;
+    }
+
     $cgi->send_cookie('-name'    => 'sudo',
                       '-expires' => $time_string,
-                      '-value'   => $token
-    );
-    
+                      '-value'   => $token,
+                      '-httponly' => 1,
+                      %args);
+
     # For the present, change the values of Bugzilla::user & Bugzilla::sudoer
     Bugzilla->sudo_request($target_user, $user);
     
-- 
cgit v1.2.3-24-g4f1b