diff options
| author | Dylan William Hardison <dylan@hardison.net> | 2017-12-21 04:14:08 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2017-12-21 04:14:08 +0100 |
| commit | 602af2ba4d6b98379a85bfa429132dbccf5851ea (patch) | |
| tree | e931604c0c567376d75be97f253f4f673afa31ba /github.cgi | |
| parent | 484182135092c4c01a8db6f5c44e1afa89b540d7 (diff) | |
| download | bugzilla-602af2ba4d6b98379a85bfa429132dbccf5851ea.tar.gz bugzilla-602af2ba4d6b98379a85bfa429132dbccf5851ea.tar.xz | |
Bug 1424408 - "Sign in with GitHub" button triggers a bugzilla security error, if I'm viewing a page with e.g. "t=" in the URL
Diffstat (limited to 'github.cgi')
| -rwxr-xr-x | github.cgi | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/github.cgi b/github.cgi index acb02d466..b8467e1e0 100755 --- a/github.cgi +++ b/github.cgi @@ -44,7 +44,7 @@ if (lc($cgi->request_method) eq 'post') { unless $target_uri =~ /^\Q$urlbase\E/; ThrowCodeError("github_insecure_referer", { target_uri => $target_uri }) - if $cgi->referer && $cgi->referer =~ /(reset_password\.cgi|token\.cgi|t=|token=|api_key=)/; + if $cgi->referer && $cgi->referer =~ /(?:reset_password\.cgi|token\.cgi|\bt=|token=|api_key=)/; if ($user->id) { print $cgi->redirect($target_uri); |