From: reed%reedloden.com <>
Date: Sat, 23 Aug 2008 04:39:39 +0000 (+0000)
Subject: Bug 368502 - "Bugzilla_logincookie should not be accessible via javascript" [p=reed... 
X-Git-Tag: bugzilla-3.2rc2~83
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=e388562c7e35d7dd9ed59255f08cece536a8e521;p=thirdparty%2Fbugzilla.git

Bug 368502 - "Bugzilla_logincookie should not be accessible via javascript" [p=reed r+a=mkanat]
---

diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 3faa892aeb..4928068e51 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -76,17 +76,20 @@ sub persist_login {
     {
         $cgi->send_cookie(-name => 'Bugzilla_login',
                           -value => $user->id,
+                          -httponly => 1,
                           -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
         $cgi->send_cookie(-name => 'Bugzilla_logincookie',
                           -value => $login_cookie,
+                          -httponly => 1,
                           -expires => 'Fri, 01-Jan-2038 00:00:00 GMT');
-
     }
     else {
         $cgi->send_cookie(-name => 'Bugzilla_login',
-                          -value => $user->id);
+                          -value => $user->id,
+                          -httponly => 1);
         $cgi->send_cookie(-name => 'Bugzilla_logincookie',
-                          -value => $login_cookie);
+                          -value => $login_cookie,
+                          -httponly => 1);
     }
 }
 
diff --git a/Bugzilla/Install/Requirements.pm b/Bugzilla/Install/Requirements.pm
index fd3dcf5890..2216d963dd 100644
--- a/Bugzilla/Install/Requirements.pm
+++ b/Bugzilla/Install/Requirements.pm
@@ -61,7 +61,8 @@ sub REQUIRED_MODULES {
         module  => 'CGI',
         # Perl 5.10 requires CGI 3.33 due to a taint issue when
         # uploading attachments, see bug 416382.
-        version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '2.93'
+        # Require CGI 3.21 for -httponly support, see bug 368502.
+        version => (vers_cmp($perl_ver, '5.10') > -1) ? '3.33' : '3.21'
     },
     {
         package => 'TimeDate',
diff --git a/template/en/default/pages/release-notes.html.tmpl b/template/en/default/pages/release-notes.html.tmpl
index 487e648b96..fad39ea472 100644
--- a/template/en/default/pages/release-notes.html.tmpl
+++ b/template/en/default/pages/release-notes.html.tmpl
@@ -79,7 +79,7 @@
 [% INCLUDE req_table reqs = REQUIRED_MODULES 
                      new = []
                      updated = ['Template-Toolkit', 'Email-MIME',
-                                'Email-MIME-Modifier'] %]
+                                'Email-MIME-Modifier', 'CGI'] %]
 
 <h3><a name="v32_req_optional_mod"></a>Optional Perl Modules</h3>