From c401ba318f9dcd511b8aad742f09680b79cec135 Mon Sep 17 00:00:00 2001
From: "lpsolit%gmail.com" <>
Date: Tue, 21 Feb 2006 08:19:25 +0000
Subject: [PATCH] =?utf8?q?[SECURITY]=20Bug=20325079:=20The=20login=20form?=
 =?utf8?q?=20on=20the=20Bugzilla=20home=20page=20may=20redirect=20your=20l?=
 =?utf8?q?ogin=20and=20password=20to=20another=20site=20-=20Patch=20by=20F?=
 =?utf8?q?r=C3=A9d=C3=A9ric=20Buclin=20<LpSolit@gmail.com>=20r=3Dmyk=20a?=
 =?utf8?q?=3Djustdave?=
MIME-Version: 1.0
Content-Type: text/plain; charset=utf8
Content-Transfer-Encoding: 8bit

---
 .../en/default/account/auth/login-small.html.tmpl  | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/template/en/default/account/auth/login-small.html.tmpl b/template/en/default/account/auth/login-small.html.tmpl
index 85802a7710..a6e3b6ddb6 100644
--- a/template/en/default/account/auth/login-small.html.tmpl
+++ b/template/en/default/account/auth/login-small.html.tmpl
@@ -21,7 +21,19 @@
 
 [% PROCESS global/variables.none.tmpl %]
 
-<form name="login" action="[% cgi.script_name FILTER html %]" method="POST">
+[%# Use the current script name. If an empty name is retuned,
+  # then we are accessing the home page. %]
+
+[% script_name = cgi.url(Relative => 1) %]
+
+[%# If SSL is in use, use 'sslbase', else use 'urlbase'. %]
+[% IF Param("sslbase") != "" && Param("ssl") != "never" %]
+  [% script_name = Param("sslbase") _ script_name %]
+[% ELSE %]
+  [% script_name = Param("urlbase") _ script_name %]
+[% END %]
+
+<form name="login" action="[% script_name FILTER html %]" method="POST">
   <table>
     <tr>
       <td align="right"><b>Login:</b></td>
-- 
2.47.2