Bug 1254227 - MozReview auth delegation allows sending out phishing mails via Bugzilla

author: Dylan Hardison <dylan@mozilla.com> 2016-03-10 04:12:31 +0100
committer: Dylan Hardison <dylan@mozilla.com> 2016-03-10 04:12:31 +0100
commit: 9cc89d34f79d1a326e5c792722163d5908a97c13 (patch)
tree: 3dc2a45f0826439fc6ea814197173a1fbb30b378 /extensions/MozReview
parent: ad2b169b0b40aa53bfacb8a7cfb89631134a865d (diff)
download: bugzilla-9cc89d34f79d1a326e5c792722163d5908a97c13.tar.gz
bugzilla-9cc89d34f79d1a326e5c792722163d5908a97c13.tar.xz
1 files changed, 3 insertions, 1 deletions
diff --git a/extensions/MozReview/Extension.pm b/extensions/MozReview/Extension.pm
index 1969ade42..907f12e56 100644
--- a/extensions/MozReview/Extension.pm
+++ b/extensions/MozReview/Extension.pm
@@ -82,10 +82,12 @@ sub template_before_process {
 sub auth_delegation_confirm {
     my ($self, $args) = @_;
     my $mozreview_callback_url = Bugzilla->params->{mozreview_auth_callback_url};
+    my $mozreview_app_id       = Bugzilla->params->{mozreview_app_id};
 
     return unless $mozreview_callback_url;
+    return unless $mozreview_app_id;
 
-    if (index($args->{callback}, $mozreview_callback_url) == 0) {
+    if (index($args->{callback}, $mozreview_callback_url) == 0 && $args->{app_id} eq $mozreview_app_id) {
         ${$args->{skip_confirmation}} = 1;
     }
 }
author	Dylan Hardison <dylan@mozilla.com>	2016-03-10 04:12:31 +0100
committer	Dylan Hardison <dylan@mozilla.com>	2016-03-10 04:12:31 +0100
commit	9cc89d34f79d1a326e5c792722163d5908a97c13 (patch)
tree	3dc2a45f0826439fc6ea814197173a1fbb30b378 /extensions/MozReview
parent	ad2b169b0b40aa53bfacb8a7cfb89631134a865d (diff)
download	bugzilla-9cc89d34f79d1a326e5c792722163d5908a97c13.tar.gz bugzilla-9cc89d34f79d1a326e5c792722163d5908a97c13.tar.xz