diff options
| author | Dylan Hardison <dylan@mozilla.com> | 2015-11-05 06:28:14 +0100 |
|---|---|---|
| committer | Dylan Hardison <dylan@mozilla.com> | 2015-11-05 06:28:14 +0100 |
| commit | 534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch) | |
| tree | 18ad69c8fb22e213ee3256c0768e35dd964d2156 /Bugzilla/CGI.pm | |
| parent | 67d9618771441215d8c431b81bf66acd4faa2aa1 (diff) | |
| download | bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz | |
Bug 1196743 - Fix information disclosure vulnerability that allows attacker to obtain victim's GitHub OAuth return code
Diffstat (limited to 'Bugzilla/CGI.pm')
| -rw-r--r-- | Bugzilla/CGI.pm | 28 |
1 files changed, 28 insertions, 0 deletions
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm index a5a1afc5c..4deb5aa52 100644 --- a/Bugzilla/CGI.pm +++ b/Bugzilla/CGI.pm @@ -31,6 +31,7 @@ use Bugzilla::Util; use Bugzilla::Search::Recent; use File::Basename; +use URI; BEGIN { if (ON_WINDOWS) { @@ -125,6 +126,21 @@ sub new { return $self; } +sub target_uri { + my ($self) = @_; + + my $base = correct_urlbase(); + if (my $request_uri = $self->request_uri) { + my $base_uri = URI->new($base); + $base_uri->path(''); + $base_uri->query(undef); + return $base_uri . $request_uri; + } + else { + return $base . ($self->url(-relative => 1, -query => 1) || 'index.cgi'); + } +} + # We want this sorted plus the ability to exclude certain params sub canonicalise_query { my ($self, @exclude) = @_; @@ -355,6 +371,16 @@ sub header { %args); } + # We generate a cookie and store it in the request cache + # To initiate github login, a form POSTs to github.cgi with the + # github_secret as a parameter. It must match the github_secret cookie. + # this prevents some types of redirection attacks. + unless ($user->id) { + $self->send_cookie(-name => 'github_secret', + -value => Bugzilla->github_secret, + -httponly => 1); + } + # Add the cookies in if we have any if (scalar(@{$self->{Bugzilla_cookie_list}})) { unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list}); @@ -475,6 +501,8 @@ sub send_cookie { $paramhash{'-path'} = Bugzilla->params->{'cookiepath'}; $paramhash{'-domain'} = Bugzilla->params->{'cookiedomain'} if Bugzilla->params->{'cookiedomain'}; + $paramhash{'-secure'} = 1 + if Bugzilla->params->{'ssl_redirect'}; # Move the param list back into an array for the call to cookie(). foreach (keys(%paramhash)) { |