Bug 1196743 - Fix information disclosure vulnerability that allows attacker to obtain victim's GitHub OAuth return code

author: Dylan Hardison <dylan@mozilla.com> 2015-11-05 06:28:14 +0100
committer: Dylan Hardison <dylan@mozilla.com> 2015-11-05 06:28:14 +0100
commit: 534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch)
tree: 18ad69c8fb22e213ee3256c0768e35dd964d2156 /extensions/GitHubAuth/template
parent: 67d9618771441215d8c431b81bf66acd4faa2aa1 (diff)
download: bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz
bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz
3 files changed, 21 insertions, 13 deletions
diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
index 26eb8d63b..609b86159 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
@@ -5,14 +5,16 @@
   # This Source Code Form is "Incompatible With Secondary Licenses", as
   # defined by the Mozilla Public License, v. 2.0.
   #%]
-
+[% USE Bugzilla %]
 [% IF Param('user_info_class').split(',').contains('GitHubAuth') %]
   <p>
-    <a href="[% github_auth.login FILTER html %]">
-      <img src="extensions/GitHubAuth/web/images/github_sign_in.png"
+    <form method="post" action="[% urlbase FILTER html %]github.cgi">
+      <input type="hidden" name="github_secret" value="[% Bugzilla.github_secret FILTER html %]">
+      <input type="hidden" name="target_uri" value="[% Bugzilla.cgi.target_uri FILTER html %]">
+      <input type="image" src="extensions/GitHubAuth/web/images/github_sign_in.png"
            alt="Sign in with GitHub"
            title="Sign in with GitHub"
            width="185" height="25">
-    </a>
+    </form>
   </p>
 [% END %]
diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
index 6c4582b70..f32b34a59 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
@@ -5,6 +5,7 @@
   # This Source Code Form is "Incompatible With Secondary Licenses", as
   # defined by the Mozilla Public License, v. 2.0.
   #%]
+[% USE Bugzilla %]
 
 [% IF Param('user_info_class').split(',').contains('GitHubAuth') %]
   <script type="text/javascript">
@@ -18,9 +19,12 @@
    });
   </script>
   <span id="github_mini_login[% qs_suffix FILTER html %]" class="bz_default_hidden">
-    <a href="[% github_auth.login FILTER html %]">
-      <img src="extensions/GitHubAuth/web/images/sign_in.png" height="22" width="75" align="absmiddle"
-           alt="Sign in with GitHub"
-           title="Sign in with GitHub"></a> or
+    <form method="post" action="[% urlbase FILTER html %]github.cgi">
+      <input type="hidden" name="github_secret" value="[% Bugzilla.github_secret FILTER html %]">
+      <input type="hidden" name="target_uri" value="[% Bugzilla.cgi.target_uri FILTER html %]">
+        <input type="image" src="extensions/GitHubAuth/web/images/sign_in.png" height="22" width="75" align="absmiddle"
+             alt="Sign in with GitHub"
+             title="Sign in with GitHub"></a> or
+    </form>
   </span>
 [% END %]
diff --git a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
index 5f6672e2b..aaf9b6fa3 100644
--- a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
@@ -6,11 +6,7 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
-[% IF error == "github_invalid_state" %]
-  [% title = "Invalid State Parameter" %]
-  An invalid <em>state</em> parameter was passed to the GitHub OAuth2 callback.
-
-[% ELSIF error == "github_missing_code" %]
+[% IF error == "github_missing_code" %]
   [% title = "Missing GitHub Auth Code" %]
   Expected a <em>code</em> parameter in the GitHub OAuth2 callback.
 
@@ -22,4 +18,10 @@
   [% title = "GitHub Error" %]
   GitHub returned an error: [% response.message FILTER html %]
 
+[% ELSIF error == "github_invalid_target" %]
+  [% terms.Bugzilla %] cannot log you into an external site via GitHub.
+
+[% ELSIF error == "github_invalid_request" %]
+  Invalid GitHub log in attempt (reason: [% reason FILTER html %])
+
 [% END %]
author	Dylan Hardison <dylan@mozilla.com>	2015-11-05 06:28:14 +0100
committer	Dylan Hardison <dylan@mozilla.com>	2015-11-05 06:28:14 +0100
commit	534fc2123e40b7517aeaffd709faf72af97ac3b8 (patch)
tree	18ad69c8fb22e213ee3256c0768e35dd964d2156 /extensions/GitHubAuth/template
parent	67d9618771441215d8c431b81bf66acd4faa2aa1 (diff)
download	bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.gz bugzilla-534fc2123e40b7517aeaffd709faf72af97ac3b8.tar.xz