summaryrefslogtreecommitdiffstats
path: root/Bugzilla/Auth/Persist
diff options
context:
space:
mode:
authorDylan Hardison <dylan@mozilla.com>2015-11-05 06:28:14 +0100
committerDylan Hardison <dylan@mozilla.com>2015-11-05 06:28:14 +0100
commit534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch)
tree18ad69c8fb22e213ee3256c0768e35dd964d2156 /Bugzilla/Auth/Persist
parent67d9618771441215d8c431b81bf66acd4faa2aa1 (diff)
downloadbugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz
bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz
Bug 1196743 - Fix information disclosure vulnerability that allows attacker to obtain victim's GitHub OAuth return code
Diffstat (limited to 'Bugzilla/Auth/Persist')
-rw-r--r--Bugzilla/Auth/Persist/Cookie.pm2
1 files changed, 2 insertions, 0 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 4adb00f96..fd910b118 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -90,6 +90,8 @@ sub persist_login {
$cookieargs{'-secure'} = 1;
}
+ $cgi->remove_cookie('github_secret');
+ $cgi->remove_cookie('Bugzilla_login_request_cookie');
$cgi->send_cookie(-name => 'Bugzilla_login',
-value => $user->id,
%cookieargs);