diff options
| author | Dylan William Hardison <dylan@mozilla.com> | 2015-05-26 15:40:39 +0200 |
|---|---|---|
| committer | Byron Jones <glob@mozilla.com> | 2015-05-26 15:40:39 +0200 |
| commit | 07e47c4b4436a8ab9414d64894ccada36c8d124a (patch) | |
| tree | ceb62ad30ff9678f362d356cdd1c36580755d3bc /extensions/GitHubAuth/lib/Client.pm | |
| parent | d85abfea5c720cd07d4a7358138b55f34af98c8d (diff) | |
| download | bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.gz bugzilla-07e47c4b4436a8ab9414d64894ccada36c8d124a.tar.xz | |
Bug 1162302: Bugzilla to Github 0auth CSRF
Diffstat (limited to 'extensions/GitHubAuth/lib/Client.pm')
| -rw-r--r-- | extensions/GitHubAuth/lib/Client.pm | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/extensions/GitHubAuth/lib/Client.pm b/extensions/GitHubAuth/lib/Client.pm index 896e82eff..bcd5e462e 100644 --- a/extensions/GitHubAuth/lib/Client.pm +++ b/extensions/GitHubAuth/lib/Client.pm @@ -56,9 +56,11 @@ sub login_uri { sub get_email_key { my ($class, $email) = @_; + my $cgi = Bugzilla->cgi; my $digest = Digest->new(DIGEST_HASH); $digest->add($email); $digest->add(remote_ip()); + $digest->add($cgi->cookie('Bugzilla_github_token') // ''); $digest->add(Bugzilla->localconfig->{site_wide_secret}); return $digest->hexdigest; } @@ -79,9 +81,11 @@ sub get_state { $sorted_target->query_param_delete('GoAheadAndLogIn'); $sorted_target->query_param_delete('github_login'); + my $cgi = Bugzilla->cgi; my $digest = Digest->new(DIGEST_HASH); $digest->add($sorted_target->as_string); $digest->add(remote_ip()); + $digest->add($cgi->cookie('Bugzilla_github_token') // ''); $digest->add(Bugzilla->localconfig->{site_wide_secret}); return $digest->hexdigest; } |