enforcing access is via urlbase

bugzilla at glob.com.au bugzilla at glob.com.au
Thu Sep 30 02:30:43 UTC 2004

what do people think about always redirecting to urlbase (once it's been set)
if the current url doesn't match it?

right now if a machine has multiple names that point to the same httpd, you
can hit bugzilla on any of those names regardless of the configured urlbase

this has an impact on cookies and on a bug 260682 (support redirecting to
https for authenticated sessions only).  this bug basically redirects from the
current url to https://current url when a login is required.

stephen lee raised a valid point on that bug.. what if the box has multiple
names and the certificate is attached to a name that you're not accessing?

this got me thinking..

one fix is to add another parameter to specify the sslbase but i think we have
enough parameters as it is.  (need to sort out that categorise parameters bug)

another option is to ensure that when a user hits the bugzilla install, they
use the offical urlbase, and redirect if they don't.

begin-base64 644 signature.gif

More information about the developers mailing list