Backing out these patches as they cause a regression. More information

in the respective bug reports. Bug 428659 â Setting SSL param to 'authenticated sessions' only protects logins and param doesn't protect WebService calls at all Patch by Dave Lawrence <dkl@redhat.com> - r/a=mkanat Bug 445104: ssl redirects come with a 200 OK HTTP code on mod_perl Patch By Max Kanat-Alexander <mkanat@bugzilla.org> r=dkl, a=mkanat

Backing out these patches as they cause a regression. More information
f33f4824 · dkl%redhat.com · 94998431 · f33f4824 · f33f4824 · f33f4824
Commit f33f4824 authored Jul 29, 2008 by dkl%redhat.com
7 changed files
--- a/Bugzilla/Auth/Login/CGI.pm
+++ b/Bugzilla/Auth/Login/CGI.pm
@@ -66,9 +66,11 @@ sub fail_nodata {
    }
    # Redirect to SSL if required
-    Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'})
+    if (Bugzilla->params->{'sslbase'} ne '' 
-        if ssl_require_redirect();
+        and Bugzilla->params->{'ssl'} ne 'never') 
+    {
+        $cgi->require_https(Bugzilla->params->{'sslbase'});
+    }
    print $cgi->header();
    $template->process("account/auth/login.html.tmpl",
                       { 'target' => $cgi->url(-relative=>1) }) 

--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -72,8 +72,9 @@ sub new {
    $self->charset(Bugzilla->params->{'utf8'} ? 'UTF-8' : '');
    # Redirect to SSL if required
-    if (i_am_cgi() && Bugzilla->usage_mode != USAGE_MODE_WEBSERVICE 
+    if (Bugzilla->params->{'sslbase'} ne ''
-        && ssl_require_redirect()) 
+        && Bugzilla->params->{'ssl'} eq 'always'
+        && i_am_cgi())
    {
        $self->require_https(Bugzilla->params->{'sslbase'});
    }
@@ -296,23 +297,18 @@ sub remove_cookie {
 # Redirect to https if required
 sub require_https {
-    my ($self, $url) = @_;
+    my $self = shift;
-    # Do not create query string if data submitted via XMLRPC
+    if ($self->protocol ne 'https') {
-    my $query = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 0 : 1;
+        my $url = shift;
-    # XMLRPC clients (SOAP::Lite at least) requires 301 to redirect properly
-    my $status = Bugzilla->usage_mode == USAGE_MODE_WEBSERVICE ? 301 : 302;
        if (defined $url) {
-        $url .= $self->url('-path_info' => 1, '-query' => $query, '-relative' => 1);
+            $url .= $self->url('-path_info' => 1, '-query' => 1, '-relative' => 1);
        } else {
            $url = $self->self_url;
            $url =~ s/^http:/https:/i;
        }
-    print $self->redirect(-location => $url, -status => $status);
+        print $self->redirect(-location => $url);
-    # When using XML-RPC with mod_perl, we need the headers sent immediately.
-    # We used to do this by appending a newline to $self->redirect, but
-    # that breaks normal web browser redirects.
-    $self->r->rflush if $ENV{MOD_PERL};
        exit;
+    }
 }
 1;
@@ -382,7 +378,7 @@ As its only argument, it takes the name of the cookie to expire.
 This routine checks if the current page is being served over https, and
 redirects to the https protocol if required, retaining QUERY_STRING.
-It takes an optional argument which will be used as the base URL.  If $baseurl
+It takes an option argument which will be used as the base URL.  If $baseurl
 is not provided, the current URL is used.
 =back

--- a/Bugzilla/Util.pm
+++ b/Bugzilla/Util.pm
@@ -36,7 +36,7 @@ use base qw(Exporter);
                             html_quote url_quote xml_quote
                             css_class_quote html_light_quote url_decode
                             i_am_cgi get_netaddr correct_urlbase
-                             lsearch ssl_require_redirect
+                             lsearch
                             diff_arrays diff_strings
                             trim wrap_hard wrap_comment find_wrap_point
                             format_time format_time_decimal validate_date
@@ -218,26 +218,6 @@ sub i_am_cgi {
    return exists $ENV{'SERVER_SOFTWARE'} ? 1 : 0;
 }
-sub ssl_require_redirect {
-    my $method = shift;
-    # Redirect to SSL if required.
-    if (!(uc($ENV{HTTPS}) eq 'ON' || $ENV{'SERVER_PORT'} == 443)
-        && Bugzilla->params->{'sslbase'} ne '') 
-    {
-        if (Bugzilla->params->{'ssl'} eq 'always'
-            || (Bugzilla->params->{'ssl'} eq 'authenticated sessions'
-                && Bugzilla->user->id)
-            || (Bugzilla->params->{'ssl'} eq 'authenticated sessions'
-                && !Bugzilla->user->id && $method eq 'User.login')) 
-        {
-            return 1;
-        }
-    }
-    return 0;
-}
 sub correct_urlbase {
    my $ssl = Bugzilla->params->{'ssl'};
    return Bugzilla->params->{'urlbase'} if $ssl eq 'never';

--- a/Bugzilla/WebService.pm
+++ b/Bugzilla/WebService.pm
@@ -19,7 +19,6 @@ package Bugzilla::WebService;
 use strict;
 use Bugzilla::WebService::Constants;
-use Bugzilla::Util;
 use Date::Parse;
 use XMLRPC::Lite;
@@ -55,15 +54,6 @@ sub handle_login {
    return;
 }
-sub handle_redirect {
-    my ($action, $uri, $method) = @_;
-    my $full_method = $uri . "." . $method;
-    # Redirect to SSL if required.
-    Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'})
-        if ssl_require_redirect($full_method);
-}
 # For some methods, we shouldn't call Bugzilla->login before we call them
 use constant LOGIN_EXEMPT => { };

--- a/index.cgi
+++ b/index.cgi
@@ -35,7 +35,6 @@ use Bugzilla;
 use Bugzilla::Constants;
 use Bugzilla::Error;
 use Bugzilla::Update;
-use Bugzilla::Util;
 # Check whether or not the user is logged in
 my $user = Bugzilla->login(LOGIN_OPTIONAL);
@@ -47,8 +46,9 @@ my $user = Bugzilla->login(LOGIN_OPTIONAL);
 my $cgi = Bugzilla->cgi;
 # Force to use HTTPS unless Bugzilla->params->{'ssl'} equals 'never'.
 # This is required because the user may want to log in from here.
-$cgi->require_https(Bugzilla->params->{'sslbase'}) 
+if (Bugzilla->params->{'sslbase'} ne '' and Bugzilla->params->{'ssl'} ne 'never') {
-    if ssl_require_redirect();
+    $cgi->require_https(Bugzilla->params->{'sslbase'});
+}
 my $template = Bugzilla->template;
 my $vars = {};

--- a/token.cgi
+++ b/token.cgi
@@ -347,9 +347,11 @@ sub request_create_account {
    $vars->{'date'} = str2time($date);
    # We require a HTTPS connection if possible.
-    Bugzilla->cgi->require_https(Bugzilla->params->{'sslbase'}) 
+    if (Bugzilla->params->{'sslbase'} ne ''
-        if ssl_require_redirect();
+        && Bugzilla->params->{'ssl'} ne 'never')
+    {
+        $cgi->require_https(Bugzilla->params->{'sslbase'});
+    }
    print $cgi->header();
    $template->process('account/email/confirm-new.html.tmpl', $vars)

--- a/xmlrpc.cgi
+++ b/xmlrpc.cgi
@@ -53,9 +53,5 @@ my $dispatch = {
 my $response = Bugzilla::WebService::XMLRPC::Transport::HTTP::CGI
    ->dispatch_with($dispatch)
-    ->on_action(sub { 
+    ->on_action(sub { Bugzilla::WebService::handle_login($dispatch, @_) } )
-                    my ($action, $uri, $method) = @_;
-                    Bugzilla::WebService::handle_login($dispatch, @_);
-                    Bugzilla::WebService::handle_redirect(@_);
-                } )
    ->handle;