Mitigates vulnerability in API authentication introduced in r3218.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6187 e93f8b46-1217-0410-a6f0-8f06a7374b81
2011-07-06 19:02:58 +00:00 · 2011-07-06 19:02:58 +00:00 · c8b627dfc7
parent d48ea90876
commit c8b627dfc7
1 changed files with 1 additions and 1 deletions
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@ -71,7 +71,7 @@ class ApplicationController < ActionController::Base
      user = User.try_to_autologin(cookies[:autologin])
      session[:user_id] = user.id if user
      user
-    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
+    elsif params[:format] == 'atom' && request.get? && params[:key] && accept_key_auth_actions.include?(params[:action])
      # RSS key authentication does not start a session
      User.find_by_rss_key(params[:key])
    elsif Setting.rest_api_enabled? && api_request?