diff options
| author | Byron Jones <glob@mozilla.com> | 2014-11-04 15:40:34 +0100 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2014-11-04 15:40:34 +0100 |
| commit | ede3ced0fa2b76a5fcf8770eee29a2e23d5189a9 (patch) | |
| tree | 527db7cd4f722f315de1247ac77897fb24ad1d7c /Bugzilla/Auth | |
| parent | 64fc523d6feb517dae87d76ea8568f43b89e1547 (diff) | |
| download | bugzilla-ede3ced0fa2b76a5fcf8770eee29a2e23d5189a9.tar.gz bugzilla-ede3ced0fa2b76a5fcf8770eee29a2e23d5189a9.tar.xz | |
Bug 1093622: Backout bug 1090427 for causing: authenticated calls from bzapi are failing: 'Untrusted Authentication Request'
Diffstat (limited to 'Bugzilla/Auth')
| -rw-r--r-- | Bugzilla/Auth/Login/CGI.pm | 41 |
1 files changed, 4 insertions, 37 deletions
diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm index 12b59d68b..8e877b951 100644 --- a/Bugzilla/Auth/Login/CGI.pm +++ b/Bugzilla/Auth/Login/CGI.pm @@ -37,52 +37,19 @@ use Bugzilla::Constants; use Bugzilla::WebService::Constants; use Bugzilla::Util; use Bugzilla::Error; -use Bugzilla::Token; sub get_login_info { my ($self) = @_; my $params = Bugzilla->input_params; - my $cgi = Bugzilla->cgi; - - my $login = trim(delete $params->{'Bugzilla_login'}); - my $password = delete $params->{'Bugzilla_password'}; - # The token must match the cookie to authenticate the request. - my $login_token = delete $params->{'Bugzilla_login_token'}; - my $login_cookie = $cgi->cookie('Bugzilla_login_request_cookie'); - my $valid = 0; - # If the web browser accepts cookies, use them. - if ($login_token && $login_cookie) { - my ($time, undef) = split(/-/, $login_token); - # Regenerate the token based on the information we have. - my $expected_token = issue_hash_token(['login_request', $login_cookie], $time); - $valid = 1 if $expected_token eq $login_token; - $cgi->remove_cookie('Bugzilla_login_request_cookie'); - } - # WebServices and other local scripts can bypass this check. - # This is safe because we won't store a login cookie in this case. - elsif (Bugzilla->usage_mode != USAGE_MODE_BROWSER) { - $valid = 1; - } - # Else falls back to the Referer header and accept local URLs. - # Attachments are served from a separate host (ideally), and so - # an evil attachment cannot abuse this check with a redirect. - elsif (my $referer = $cgi->referer) { - my $urlbase = correct_urlbase(); - $valid = 1 if $referer =~ /^\Q$urlbase\E/; - } - # If the web browser doesn't accept cookies and the Referer header - # is missing, we have no way to make sure that the authentication - # request comes from the user. - elsif ($login && $password) { - ThrowUserError('auth_untrusted_request', { login => $login }); - } + my $username = trim(delete $params->{"Bugzilla_login"}); + my $password = delete $params->{"Bugzilla_password"}; - if (!$login || !$password || !$valid) { + if (!defined $username || !defined $password) { return { failure => AUTH_NODATA }; } - return { username => $login, password => $password }; + return { username => $username, password => $password }; } sub fail_nodata { |