From 844c6238baf72dfa79ad7e33f2bc1947cbf5b3f5 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:16:56 -0500
Subject: Bug 1253914 - Cross domain referer leakage when resetting the user
 password

---
 .../en/default/hook/account/auth/login-additional_methods.html.tmpl    | 2 +-
 .../template/en/default/hook/global/code-error-errors.html.tmpl        | 3 +++
 github.cgi                                                             | 3 +++
 template/en/default/global/header.html.tmpl                            | 1 +
 4 files changed, 8 insertions(+), 1 deletion(-)

diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
index 609b86159..17bcb3e42 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
@@ -17,4 +17,4 @@
            width="185" height="25">
     </form>
   </p>
-[% END %]
+[% END %]
\ No newline at end of file
diff --git a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
index aaf9b6fa3..c32dd3cd5 100644
--- a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
@@ -21,6 +21,9 @@
 [% ELSIF error == "github_invalid_target" %]
   [% terms.Bugzilla %] cannot log you into an external site via GitHub.
 
+[% ELSIF error == "github_insecure_referer" %]
+  [% terms.Bugzilla %] prevented you from logging in from a page containing private information.
+
 [% ELSIF error == "github_invalid_request" %]
   Invalid GitHub log in attempt (reason: [% reason FILTER html %])
 
diff --git a/github.cgi b/github.cgi
index 03a5753e6..74111eae3 100755
--- a/github.cgi
+++ b/github.cgi
@@ -41,6 +41,9 @@ if (lc($cgi->request_method) eq 'post') {
     ThrowCodeError("github_invalid_target", { target_uri => $target_uri })
       unless $target_uri =~ /^\Q$urlbase\E/;
 
+    ThrowCodeError("github_insecure_referer", { target_uri => $target_uri })
+      if $cgi->referer && $cgi->referer =~ /(reset_password\.cgi|token\.cgi|t=|token=|api_key=)/;
+
     if ($user->id) {
         print $cgi->redirect($target_uri);
         exit;
diff --git a/template/en/default/global/header.html.tmpl b/template/en/default/global/header.html.tmpl
index 23634ed43..382c72f1d 100644
--- a/template/en/default/global/header.html.tmpl
+++ b/template/en/default/global/header.html.tmpl
@@ -268,6 +268,7 @@
     [% IF allow_mobile && is_mobile_browser %]
       <meta name="viewport" content="width=device-width, initial-scale=1">
     [% END %]
+    <meta name="referrer" content="origin">
     [% Hook.process("additional_header") %]
   </head>
 
-- 
cgit v1.2.3-24-g4f1b