From 20d885c77680fc082640c0a7340be44cd02b2779 Mon Sep 17 00:00:00 2001 From: "dkl%redhat.com" <> Date: Mon, 18 Aug 2008 09:16:12 +0000 Subject: Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all Patch by David Lawrence - r/a=LpSolit/mkanat MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- token.cgi | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'token.cgi') diff --git a/token.cgi b/token.cgi index c91c2f94f..d7f9f3c98 100755 --- a/token.cgi +++ b/token.cgi @@ -346,8 +346,9 @@ sub request_create_account { $vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'}; $vars->{'date'} = str2time($date); - # We require a HTTPS connection if possible. - if (Bugzilla->params->{'sslbase'} ne '' + # When 'ssl' equals 'always' or 'authenticated sessions', + # we want this form to always be over SSL. + if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne '' && Bugzilla->params->{'ssl'} ne 'never') { $cgi->require_https(Bugzilla->params->{'sslbase'}); -- cgit v1.2.3-24-g4f1b