Bug 1196743 - Fix information disclosure vulnerability that allows attacker to obtain victim's GitHub OAuth return code

author: Dylan Hardison <dylan@mozilla.com> 2015-11-05 06:28:14 +0100
committer: Dylan Hardison <dylan@mozilla.com> 2015-11-05 06:28:14 +0100
commit: 534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch)
tree: 18ad69c8fb22e213ee3256c0768e35dd964d2156 /Bugzilla/Auth
parent: 67d9618771441215d8c431b81bf66acd4faa2aa1 (diff)
download: bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz
bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz
1 files changed, 2 insertions, 0 deletions
diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 4adb00f96..fd910b118 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -90,6 +90,8 @@ sub persist_login {
         $cookieargs{'-secure'} = 1;
     }
 
+    $cgi->remove_cookie('github_secret');
+    $cgi->remove_cookie('Bugzilla_login_request_cookie');
     $cgi->send_cookie(-name => 'Bugzilla_login',
                       -value => $user->id,
                       %cookieargs);
author	Dylan Hardison <dylan@mozilla.com>	2015-11-05 06:28:14 +0100
committer	Dylan Hardison <dylan@mozilla.com>	2015-11-05 06:28:14 +0100
commit	534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch)
tree	18ad69c8fb22e213ee3256c0768e35dd964d2156 /Bugzilla/Auth
parent	67d9618771441215d8c431b81bf66acd4faa2aa1 (diff)
download	bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz