Bug 1162302: Bugzilla to Github 0auth CSRF

author: Dylan William Hardison <dylan@mozilla.com> 2015-05-26 15:40:39 +0200
committer: Byron Jones <glob@mozilla.com> 2015-05-26 15:40:39 +0200
commit: 07e47c4b4436a8ab9414d64894ccada36c8d124a (patch)
tree: ceb62ad30ff9678f362d356cdd1c36580755d3bc
parent: d85abfea5c720cd07d4a7358138b55f34af98c8d (diff)
download: bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.gz
bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.xz
2 files changed, 15 insertions, 1 deletions
diff --git a/extensions/GitHubAuth/lib/Client.pm b/extensions/GitHubAuth/lib/Client.pm
index 896e82eff..bcd5e462e 100644
--- a/extensions/GitHubAuth/lib/Client.pm
+++ b/extensions/GitHubAuth/lib/Client.pm
@@ -56,9 +56,11 @@ sub login_uri {
 sub get_email_key {
     my ($class, $email) = @_;
 
+    my $cgi    = Bugzilla->cgi;
     my $digest = Digest->new(DIGEST_HASH);
     $digest->add($email);
     $digest->add(remote_ip());
+    $digest->add($cgi->cookie('Bugzilla_github_token') // '');
     $digest->add(Bugzilla->localconfig->{site_wide_secret});
     return $digest->hexdigest;
 }
@@ -79,9 +81,11 @@ sub get_state {
     $sorted_target->query_param_delete('GoAheadAndLogIn');
     $sorted_target->query_param_delete('github_login');
 
+    my $cgi    = Bugzilla->cgi;
     my $digest = Digest->new(DIGEST_HASH);
     $digest->add($sorted_target->as_string);
     $digest->add(remote_ip());
+    $digest->add($cgi->cookie('Bugzilla_github_token') // '');
     $digest->add(Bugzilla->localconfig->{site_wide_secret});
     return $digest->hexdigest;
 }
diff --git a/extensions/GitHubAuth/lib/Login.pm b/extensions/GitHubAuth/lib/Login.pm
index cdf3eaa61..5f1ad4a77 100644
--- a/extensions/GitHubAuth/lib/Login.pm
+++ b/extensions/GitHubAuth/lib/Login.pm
@@ -14,7 +14,7 @@ use fields qw(github_failure);
 use Scalar::Util qw(blessed);
 
 use Bugzilla::Constants qw(AUTH_NODATA AUTH_ERROR USAGE_MODE_BROWSER );
-use Bugzilla::Util qw(trick_taint correct_urlbase);
+use Bugzilla::Util qw(trick_taint correct_urlbase generate_random_password);
 use Bugzilla::Extension::GitHubAuth::Client;
 use Bugzilla::Extension::GitHubAuth::Client::Error ();
 use Bugzilla::Extension::GitHubAuth::Util qw(target_uri);
@@ -31,6 +31,14 @@ sub get_login_info {
     my $github_email     = $cgi->param('github_email');
     my $github_email_key = $cgi->param('github_email_key');
 
+    my $cookie = $cgi->cookie('Bugzilla_github_token');
+    unless ($cookie) {
+        $cgi->send_cookie(-name     => 'Bugzilla_github_token',
+                          -value    => generate_random_password(),
+                          Bugzilla->params->{'ssl_redirect'} ? ( -secure => 1 ) : (),
+                          -httponly => 1);
+    }
+
     return { failure => AUTH_NODATA } unless $github_login;
 
     if ($github_email_key && $github_email) {
@@ -105,6 +113,7 @@ sub _get_login_info_from_github {
 
     if (@allowed_bugzilla_users == 1) {
         my ($user) = @allowed_bugzilla_users;
+        $cgi->remove_cookie('Bugzilla_github_token');
         return { username => $user->login, user_id => $user->id, github_auth => 1 };
     }
     elsif (@allowed_bugzilla_users > 1) {
@@ -151,6 +160,7 @@ sub _get_login_info_from_email {
     return { failure    => AUTH_ERROR,
              user_error => 'github_auth_account_too_powerful' } if $user && $user->in_group('no-github-auth');
 
+    $cgi->remove_cookie('Bugzilla_github_token');
     return { username => $github_email, github_auth => 1 };
 }
author	Dylan William Hardison <dylan@mozilla.com>	2015-05-26 15:40:39 +0200
committer	Byron Jones <glob@mozilla.com>	2015-05-26 15:40:39 +0200
commit	07e47c4b4436a8ab9414d64894ccada36c8d124a (patch)
tree	ceb62ad30ff9678f362d356cdd1c36580755d3bc
parent	d85abfea5c720cd07d4a7358138b55f34af98c8d (diff)
download	bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.gz bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.xz