Commit 09317bf9 authored by Frédéric Buclin's avatar Frédéric Buclin

Bug 966676: The 'sudo' cookie should not be accessible from JavaScript

r=dkl a=justdave
parent c91b8f3e
......@@ -137,10 +137,17 @@ elsif ($action eq 'begin-sudo') {
# For future sessions, store the unique ID of the target user
my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id);
my %args;
if (Bugzilla->params->{ssl_redirect}) {
$args{'-secure'} = 1;
}
$cgi->send_cookie('-name' => 'sudo',
'-expires' => $time_string,
'-value' => $token
);
'-value' => $token,
'-httponly' => 1,
%args);
# For the present, change the values of Bugzilla::user & Bugzilla::sudoer
Bugzilla->sudo_request($target_user, $user);
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment