diff options
| -rw-r--r-- | CGI.pl | 12 | ||||
| -rwxr-xr-x | process_bug.cgi | 10 |
2 files changed, 17 insertions, 5 deletions
@@ -20,6 +20,7 @@ # Contributor(s): Terry Weissman <terry@mozilla.org> # Dan Mosedale <dmose@mozilla.org> # Joe Robins <jmrobins@tgix.com> +# Dave Miller <justdave@syndicomm.com> # Contains some global routines used throughout the CGI scripts of Bugzilla. @@ -914,9 +915,14 @@ Content-type: text/html $nexturl = $&; } my $method = "POST"; - if (defined $ENV{"REQUEST_METHOD"} && length($::buffer) > 1) { - $method = $ENV{"REQUEST_METHOD"}; - } +# We always want to use POST here, because we're submitting a password and don't +# want to see it in the location bar in the browser in case a co-worker is looking +# over your shoulder. If you have cookies off and need to bookmark the query, you +# can bookmark it from the screen asking for your password, and it should still +# work. See http://bugzilla.mozilla.org/show_bug.cgi?id=15980 +# if (defined $ENV{"REQUEST_METHOD"} && length($::buffer) > 1) { +# $method = $ENV{"REQUEST_METHOD"}; +# } print " <FORM action=$nexturl method=$method> <table> diff --git a/process_bug.cgi b/process_bug.cgi index 81f6846b8..1b02b7b0c 100755 --- a/process_bug.cgi +++ b/process_bug.cgi @@ -724,8 +724,14 @@ The changes made were: $::FORM{'delta_ts'} = $delta_ts; print "<li><form method=post>"; foreach my $i (keys %::FORM) { - my $value = value_quote($::FORM{$i}); - print qq{<input type=hidden name="$i" value="$value">\n}; + # Make sure we don't include the username/password fields in the + # HTML. If cookies are off, they'll have to reauthenticate after + # hitting "submit changes anyway". + # see http://bugzilla.mozilla.org/show_bug.cgi?id=15980 + if ($i !~ /^(Bugzilla|LDAP)_(login|password)$/) { + my $value = value_quote($::FORM{$i}); + print qq{<input type=hidden name="$i" value="$value">\n}; + } } print qq{<input type=submit value="Submit my changes anyway">\n}; print " This will cause all of the above changes to be overwritten"; |