Bug 1254227 - MozReview auth delegation allows sending out phishing mails via Bugzilla

4 files changed, 15 insertions, 3 deletions

diff --git a/auth.cgi b/auth.cgi
index f069e3aec..49edd6abe 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -39,14 +39,19 @@ my $description = $cgi->param('description') or ThrowUserError("auth_delegation_
 trick_taint($callback);
 trick_taint($description);
 
+ThrowUserError("auth_delegation_invalid_description")
+  unless $description =~ /^[\w\s]{3,255}$/;
+
 my $callback_uri  = URI->new($callback);
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
+my $app_id = sha256_hex($callback_base, $description);
 my $skip_confirmation = 0;
 my %args = ( skip_confirmation => \$skip_confirmation,
              callback          => $callback_uri,
              description       => $description,
+             app_id            => $app_id,
              callback_base     => $callback_base );
 
 Bugzilla::Hook::process('auth_delegation_confirm', \%args);
@@ -64,7 +69,6 @@ if ($confirmed || $skip_confirmation) {
                            { token => $token, callback => $callback });
         }
     }
-    my $app_id = sha256_hex($callback_base, $description);
     my $keys = Bugzilla::User::APIKey->match({
         user_id => $user->id,
         app_id  => $app_id,
diff --git a/extensions/MozReview/Extension.pm b/extensions/MozReview/Extension.pm
index 1969ade42..907f12e56 100644
--- a/extensions/MozReview/Extension.pm
+++ b/extensions/MozReview/Extension.pm
@@ -82,10 +82,12 @@ sub template_before_process {
 sub auth_delegation_confirm {
     my ($self, $args) = @_;
     my $mozreview_callback_url = Bugzilla->params->{mozreview_auth_callback_url};
+    my $mozreview_app_id       = Bugzilla->params->{mozreview_app_id};
 
     return unless $mozreview_callback_url;
+    return unless $mozreview_app_id;
 
-    if (index($args->{callback}, $mozreview_callback_url) == 0) {
+    if (index($args->{callback}, $mozreview_callback_url) == 0 && $args->{app_id} eq $mozreview_app_id) {
         ${$args->{skip_confirmation}} = 1;
     }
 }
diff --git a/template/en/default/email/new-api-key.txt.tmpl b/template/en/default/email/new-api-key.txt.tmpl
index 5dc068b05..4a03fe800 100644
--- a/template/en/default/email/new-api-key.txt.tmpl
+++ b/template/en/default/email/new-api-key.txt.tmpl
@@ -21,7 +21,7 @@ X-Bugzilla-Type: admin
 [This e-mail has been automatically generated]
 
 A new [% terms.Bugzilla %] API key[% IF new_key.description %], with the
-description '[% new_key.description %]'[% END %] has been created. You can view
+description '[% new_key.description FILTER truncate(10) %]'[% END %] has been created. You can view
 or update the key at the following URL:
 
 [%+ urlbase %]userprefs.cgi?tab=apikey
diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 2ecad03fd..33fb0123d 100644
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -148,6 +148,12 @@
     [% title = "Auth delegation can't be confirmed" %]
     Auth delegation cannot be confirmed due to missing or invalid token.
 
+  [% ELSIF error == "auth_delegation_invalid_description" %]
+    [% title = "Auth delegation suspicious description" %]
+    It looks like auth delegation was attempted with a suspicious description!
+    Auth Delegation descriptions should consist only of words, with no other punctuation.
+    You were sent here by some other site; please contact them for support.
+
   [% ELSIF error == "auth_delegation_invalid_token" %]
     [% title = "Auth delegation can't be confirmed" %]
     Auth delegation cannot be confirmed due to missing or invalid token.