diff options
| author |   Frédéric Buclin <LpSolit@gmail.com> | 2014-02-15 00:29:15 +0100 |
|---|---|---|
| committer | Frédéric Buclin <LpSolit@gmail.com> | 2014-02-15 00:29:15 +0100 |
| commit | 572206bd18e1d81880517a8d9f750ed6e4ebf75e (patch) | |
| tree | 22f5b1ed656767441ec992fa238cbc6aea872f05 /relogin.cgi | |
| parent | Bug 970184: "possible duplicates" shouldn't truncate words at the first non-w... (diff) | |
| download | bugzilla-572206bd18e1d81880517a8d9f750ed6e4ebf75e.tar.gz bugzilla-572206bd18e1d81880517a8d9f750ed6e4ebf75e.tar.bz2 bugzilla-572206bd18e1d81880517a8d9f750ed6e4ebf75e.zip | |
Bug 966676: The 'sudo' cookie should not be accessible from JavaScript
r=dkl a=justdave
Diffstat (limited to 'relogin.cgi')
| -rwxr-xr-x | relogin.cgi | 13 |
1 files changed, 10 insertions, 3 deletions
diff --git a/relogin.cgi b/relogin.cgi index 57240db43..b3307c9eb 100755 --- a/relogin.cgi +++ b/relogin.cgi @@ -136,11 +136,18 @@ elsif ($action eq 'begin-sudo') { # For future sessions, store the unique ID of the target user my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id); + + my %args; + if (Bugzilla->params->{ssl_redirect}) { + $args{'-secure'} = 1; + } + $cgi->send_cookie('-name' => 'sudo', '-expires' => $time_string, - '-value' => $token - ); - + '-value' => $token, + '-httponly' => 1, + %args); + # For the present, change the values of Bugzilla::user & Bugzilla::sudoer Bugzilla->sudo_request($target_user, $user); |