From 8124a0f52db44bd4322f8eed44b51f9985b76c6a Mon Sep 17 00:00:00 2001
From: "bzrmirror%bugzilla.org"
 <bzrmirror%bugzilla.org@18797224-902f-48f8-a5cc-f745e15eee43>
Date: Fri, 14 Feb 2014 23:32:26 +0000
Subject: [PATCH] Bug 966676: The 'sudo' cookie should not be accessible from
 JavaScript r=dkl a=justdave

git-svn-id: svn://10.0.0.236/trunk@265245 18797224-902f-48f8-a5cc-f745e15eee43
---
 mozilla/webtools/bugzilla/.bzrrev     |  2 +-
 mozilla/webtools/bugzilla/relogin.cgi | 13 ++++++++++---
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/mozilla/webtools/bugzilla/.bzrrev b/mozilla/webtools/bugzilla/.bzrrev
index 6946037d40b..d00ca55cc42 100644
--- a/mozilla/webtools/bugzilla/.bzrrev
+++ b/mozilla/webtools/bugzilla/.bzrrev
@@ -1 +1 @@
-8920
\ No newline at end of file
+8921
\ No newline at end of file
diff --git a/mozilla/webtools/bugzilla/relogin.cgi b/mozilla/webtools/bugzilla/relogin.cgi
index e2effd1058b..52944a81110 100755
--- a/mozilla/webtools/bugzilla/relogin.cgi
+++ b/mozilla/webtools/bugzilla/relogin.cgi
@@ -137,11 +137,18 @@ elsif ($action eq 'begin-sudo') {
 
     # For future sessions, store the unique ID of the target user
     my $token = Bugzilla::Token::_create_token($user->id, 'sudo', $target_user->id);
+
+    my %args;
+    if (Bugzilla->params->{ssl_redirect}) {
+        $args{'-secure'} = 1;
+    }
+
     $cgi->send_cookie('-name'    => 'sudo',
                       '-expires' => $time_string,
-                      '-value'   => $token
-    );
-    
+                      '-value'   => $token,
+                      '-httponly' => 1,
+                      %args);
+
     # For the present, change the values of Bugzilla::user & Bugzilla::sudoer
     Bugzilla->sudo_request($target_user, $user);