diff options
| author | Dylan Hardison <dylan@mozilla.com> | 2016-03-10 04:16:56 +0100 |
|---|---|---|
| committer | Dylan Hardison <dylan@mozilla.com> | 2016-03-10 04:17:15 +0100 |
| commit | 844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5 (patch) | |
| tree | f8dfdac10f166934fcf22c01d44e66b8df873577 | |
| parent | 9cc89d34f79d1a326e5c792722163d5908a97c13 (diff) | |
| download | bugzilla-844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5.tar.gz bugzilla-844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5.tar.xz | |
Bug 1253914 - Cross domain referer leakage when resetting the user password
4 files changed, 8 insertions, 1 deletions
diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl index 609b86159..17bcb3e42 100644 --- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl +++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl @@ -17,4 +17,4 @@ width="185" height="25"> </form> </p> -[% END %] +[% END %]
\ No newline at end of file diff --git a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl index aaf9b6fa3..c32dd3cd5 100644 --- a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl +++ b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl @@ -21,6 +21,9 @@ [% ELSIF error == "github_invalid_target" %] [% terms.Bugzilla %] cannot log you into an external site via GitHub. +[% ELSIF error == "github_insecure_referer" %] + [% terms.Bugzilla %] prevented you from logging in from a page containing private information. + [% ELSIF error == "github_invalid_request" %] Invalid GitHub log in attempt (reason: [% reason FILTER html %]) diff --git a/github.cgi b/github.cgi index 03a5753e6..74111eae3 100755 --- a/github.cgi +++ b/github.cgi @@ -41,6 +41,9 @@ if (lc($cgi->request_method) eq 'post') { ThrowCodeError("github_invalid_target", { target_uri => $target_uri }) unless $target_uri =~ /^\Q$urlbase\E/; + ThrowCodeError("github_insecure_referer", { target_uri => $target_uri }) + if $cgi->referer && $cgi->referer =~ /(reset_password\.cgi|token\.cgi|t=|token=|api_key=)/; + if ($user->id) { print $cgi->redirect($target_uri); exit; diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl index 23634ed43..382c72f1d 100644 --- a/template/en/default/global/header.html.tmpl +++ b/template/en/default/global/header.html.tmpl @@ -268,6 +268,7 @@ [% IF allow_mobile && is_mobile_browser %] <meta name="viewport" content="width=device-width, initial-scale=1"> [% END %] + <meta name="referrer" content="origin"> [% Hook.process("additional_header") %] </head> |