In inc_header.php: $pos = strpos($_SERVER["REQUEST_URI"], "/admin"); if ($pos !== false) { echo'<LINK REL="STYLESHEET" TYPE="text/css" HREF="/core/mozupdates.bak.css">'; $application="login"; $_SESSION["application"]="login"; unset($_SESSION["app_version"], $_SESSION["app_os"]); } Compare the source code for http://update.mozilla.org/?/admin to the code for http://update.mozilla.org/ - you'll see that we run that code in the first case, even though we shouldn't. I'm marking security just in case setting the app to login exposes something we don't want to. For what its worth, this may be a case where code sharing isn't as good - if you're going to separate admin/, it needs to be properly separated.

heh, the only thing it affects is which tab is highlighted. That section of code is a hack to avoid breaking the admin panel. IIRC. (Primarily for the stylesheet to be included, as the new styles don't degrade well for admin. So it may be unsafe, but for what its doing, it doesn't actually matter.

If its actually worth patching that hack to be safer, feel free to submit a patch on it. The better fix though is to complete bug 254925 to fix the strange dependency on the backup stylesheet (in favor of either no admin-specific styles or an admin-specific additional stylesheet included in a different location). Also, Bug 249447 is removing the highlighted tabs. which will fix the need for those lines. Thereby removing the entire block in question.

This isn't a security bug, though I'm not empowered to remove that.

removing security flag per comment 3.

Bulk Moving Developer Control Panel bugs to new component. (Filter: massdevcpspam)

restoring the security flag that got removed during the product move.

Mass-resolving bugs that have been fixed on trunk.

Sorry for the bugspam, reopening bugs wrongly marked as resolved.