From c8b627dfc77fb9caeab0228175fd284d7fa77361 Mon Sep 17 00:00:00 2001
From: Jean-Philippe Lang <jp_lang@yahoo.fr>
Date: Wed, 6 Jul 2011 19:02:58 +0000
Subject: [PATCH] Mitigates vulnerability in API authentication introduced in
 r3218.

git-svn-id: svn+ssh://rubyforge.org/var/svn/redmine/trunk@6187 e93f8b46-1217-0410-a6f0-8f06a7374b81
---
 app/controllers/application_controller.rb | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/app/controllers/application_controller.rb b/app/controllers/application_controller.rb
index e3f768645..e23f8b108 100644
--- a/app/controllers/application_controller.rb
+++ b/app/controllers/application_controller.rb
@@ -71,7 +71,7 @@ class ApplicationController < ActionController::Base
       user = User.try_to_autologin(cookies[:autologin])
       session[:user_id] = user.id if user
       user
-    elsif params[:format] == 'atom' && params[:key] && accept_key_auth_actions.include?(params[:action])
+    elsif params[:format] == 'atom' && request.get? && params[:key] && accept_key_auth_actions.include?(params[:action])
       # RSS key authentication does not start a session
       User.find_by_rss_key(params[:key])
     elsif Setting.rest_api_enabled? && api_request?
-- 
2.39.5