From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 6 Jul 2011 19:02:58 +0000 (+0000)
Subject: Mitigates vulnerability in API authentication introduced in r3218.
X-Git-Tag: 1.3.0~1729
X-Git-Url: https://source.dussan.org/?a=commitdiff_plain;h=c8b627dfc77fb9caeab0228175fd284d7fa77361;p=redmine.git

Mitigates vulnerability in API authentication introduced in r3218.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6187 e93f8b46-1217-0410-a6f0-8f06a7374b81
---

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e3f768645..e23f8b108 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -71,7 +71,7 @@ class ApplicationController < ActionController::Base
       user = User.try_to_autologin(cookies[:autologin])
       session[:user_id] = user.id if user
       user
-    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
+    elsif params[:format] == 'atom' && request.get? && params[:key] && accept_key_auth_actions.include?(params[:action])
       # RSS key authentication does not start a session
       User.find_by_rss_key(params[:key])
     elsif Setting.rest_api_enabled? && api_request?