aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authordkl%redhat.com <>2008-08-18 09:16:12 +0000
committerdkl%redhat.com <>2008-08-18 09:16:12 +0000
commit20d885c77680fc082640c0a7340be44cd02b2779 (patch)
treea7b20520a3f1e6648ed9dbb5bc72321007bace84 /token.cgi
parentBug 448593: Move code to edit product group settings from editproducts.cgi to... (diff)
downloadbugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.gz
bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.tar.bz2
bugzilla-20d885c77680fc082640c0a7340be44cd02b2779.zip
Bug 428659 – Setting SSL param to 'authenticated sessions' only protects logins and param
doesn't protect WebService calls at all Patch by David Lawrence <dkl@redhat.com> - r/a=LpSolit/mkanat
Diffstat (limited to 'token.cgi')
-rwxr-xr-xtoken.cgi5
1 files changed, 3 insertions, 2 deletions
diff --git a/token.cgi b/token.cgi
index c91c2f94f..d7f9f3c98 100755
--- a/token.cgi
+++ b/token.cgi
@@ -346,8 +346,9 @@ sub request_create_account {
$vars->{'email'} = $login_name . Bugzilla->params->{'emailsuffix'};
$vars->{'date'} = str2time($date);
- # We require a HTTPS connection if possible.
- if (Bugzilla->params->{'sslbase'} ne ''
+ # When 'ssl' equals 'always' or 'authenticated sessions',
+ # we want this form to always be over SSL.
+ if ($cgi->protocol ne 'https' && Bugzilla->params->{'sslbase'} ne ''
&& Bugzilla->params->{'ssl'} ne 'never')
{
$cgi->require_https(Bugzilla->params->{'sslbase'});