in the respective bug reports.
Bug 428659 รข\80\93 Setting SSL param to 'authenticated sessions' only
protects logins and param doesn't protect WebService calls at all
Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat
Bug 445104: ssl redirects come with a 200 OK HTTP code on mod_perl
Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat
}
# Redirect to SSL if required
- Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'})
- if ssl_require_redirect();
-
+ if (Bugzilla->params->{'sslbase'} ne ''
+ and Bugzilla->params->{'ssl'} ne 'never')
+ {
+ $cgi->require_https(Bugzilla->params->{'sslbase'});
+ }
print $cgi->header();
$template->process("account/auth/login.html.tmpl",
{ 'target' => $cgi->url(-relative=>1) })
$self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : '');
# Redirect to SSL if required
- if (i_am_cgi() && Bugzilla->usage_mode != USAGE_MODE_WEBSERVICE
- && ssl_require_redirect())
+ if (Bugzilla->params->{'sslbase'} ne ''
+ && Bugzilla->params->{'ssl'} eq 'always'
+ && i_am_cgi())
{
$self->require_https(Bugzilla->params->{'sslbase'});
}
# Redirect to https if required
sub require_https {
- my ($self, $url) = @_;
- # Do not create query string if data submitted via XMLRPC
- my $query = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 0 : 1;
- # XMLRPC clients (SOAP::Lite at least) requires 301 to redirect properly
- my $status = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 301 : 302;
- if (defined $url) {
- $url .= $self->url('-path_info' => 1, '-query' => $query, '-relative' => 1);
- } else {
- $url = $self->self_url;
- $url =~ s/^http:/https:/i;
+ my $self = shift;
+ if ($self->protocol ne 'https') {
+ my $url = shift;
+ if (defined $url) {
+ $url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1);
+ } else {
+ $url = $self->self_url;
+ $url =~ s/^http:/https:/i;
+ }
+ print $self->redirect(-location => $url);
+ exit;
}
- print $self->redirect(-location => $url, -status => $status);
- # When using XML-RPC with mod_perl, we need the headers sent immediately.
- # We used to do this by appending a newline to $self->redirect, but
- # that breaks normal web browser redirects.
- $self->r->rflush if $ENV{MOD_PERL};
- exit;
}
1;
This routine checks if the current page is being served over https, and
redirects to the https protocol if required, retaining QUERY_STRING.
-It takes an optional argument which will be used as the base URL. If $baseurl
+It takes an option argument which will be used as the base URL. If $baseurl
is not provided, the current URL is used.
=back
html_quote url_quote xml_quote
css_class_quote html_light_quote url_decode
i_am_cgi get_netaddr correct_urlbase
- lsearch ssl_require_redirect
+ lsearch
diff_arrays diff_strings
trim wrap_hard wrap_comment find_wrap_point
format_time format_time_decimal validate_date
return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0;
}
-sub ssl_require_redirect {
- my $method = shift;
-
- # Redirect to SSL if required.
- if (!(uc($ENV{HTTPS}) eq 'ON' || $ENV{'SERVER_PORT'} == 443)
- && Bugzilla->params->{'sslbase'} ne '')
- {
- if (Bugzilla->params->{'ssl'} eq 'always'
- || (Bugzilla->params->{'ssl'} eq 'authenticated sessions'
- && Bugzilla->user->id)
- || (Bugzilla->params->{'ssl'} eq 'authenticated sessions'
- && !Bugzilla->user->id && $method eq 'User.login'))
- {
- return 1;
- }
- }
-
- return 0;
-}
-
sub correct_urlbase {
my $ssl = Bugzilla->params->{'ssl'};
return Bugzilla->params->{'urlbase'} if $ssl eq 'never';
use strict;
use Bugzilla::WebService::Constants;
-use Bugzilla::Util;
use Date::Parse;
sub fail_unimplemented {
return;
}
-sub handle_redirect {
- my ($action, $uri, $method) = @_;
- my $full_method = $uri . "." . $method;
-
- # Redirect to SSL if required.
- Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'})
- if ssl_require_redirect($full_method);
-}
-
# For some methods, we shouldn't call Bugzilla->login before we call them
use constant LOGIN_EXEMPT => { };
use Bugzilla::Constants;
use Bugzilla::Error;
use Bugzilla::Update;
-use Bugzilla::Util;
# Check whether or not the user is logged in
my $user = Bugzilla->login(LOGIN_OPTIONAL);
my $cgi = Bugzilla->cgi;
# Force to use HTTPS unless Bugzilla->params->{'ssl'} equals 'never'.
# This is required because the user may want to log in from here.
-$cgi->require_https(Bugzilla->params->{'sslbase'})
- if ssl_require_redirect();
+if (Bugzilla->params->{'sslbase'} ne '' and Bugzilla->params->{'ssl'} ne 'never') {
+ $cgi->require_https(Bugzilla->params->{'sslbase'});
+}
my $template = Bugzilla->template;
my $vars = {};
$vars->{'date'} = str2time($date);
# We require a HTTPS connection if possible.
- Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'})
- if ssl_require_redirect();
-
+ if (Bugzilla->params->{'sslbase'} ne ''
+ && Bugzilla->params->{'ssl'} ne 'never')
+ {
+ $cgi->require_https(Bugzilla->params->{'sslbase'});
+ }
print $cgi->header();
$template->process('account/email/confirm-new.html.tmpl', $vars)
my $response = Bugzilla::WebService::XMLRPC::Transport::HTTP::CGI
->dispatch_with($dispatch)
- ->on_action(sub {
- my ($action, $uri, $method) = @_;
- Bugzilla::WebService::handle_login($dispatch, @_);
- Bugzilla::WebService::handle_redirect(@_);
- } )
+ ->on_action(sub { Bugzilla::WebService::handle_login($dispatch, @_) } )
->handle;
projects / thirdparty / bugzilla.git / commitdiff
