From 9cc89d34f79d1a326e5c792722163d5908a97c13 Mon Sep 17 00:00:00 2001 From: Dylan Hardison Date: Wed, 9 Mar 2016 22:12:31 -0500 Subject: Bug 1254227 - MozReview auth delegation allows sending out phishing mails via Bugzilla --- auth.cgi | 6 +++++- extensions/MozReview/Extension.pm | 4 +++- template/en/default/email/new-api-key.txt.tmpl | 2 +- template/en/default/global/user-error.html.tmpl | 6 ++++++ 4 files changed, 15 insertions(+), 3 deletions(-) diff --git a/auth.cgi b/auth.cgi index f069e3aec..49edd6abe 100755 --- a/auth.cgi +++ b/auth.cgi @@ -39,14 +39,19 @@ my $description = $cgi->param('description') or ThrowUserError("auth_delegation_ trick_taint($callback); trick_taint($description); +ThrowUserError("auth_delegation_invalid_description") + unless $description =~ /^[\w\s]{3,255}$/; + my $callback_uri = URI->new($callback); my $callback_base = $callback_uri->clone; $callback_base->query(undef); +my $app_id = sha256_hex($callback_base, $description); my $skip_confirmation = 0; my %args = ( skip_confirmation => \$skip_confirmation, callback => $callback_uri, description => $description, + app_id => $app_id, callback_base => $callback_base ); Bugzilla::Hook::process('auth_delegation_confirm', \%args); @@ -64,7 +69,6 @@ if ($confirmed || $skip_confirmation) { { token => $token, callback => $callback }); } } - my $app_id = sha256_hex($callback_base, $description); my $keys = Bugzilla::User::APIKey->match({ user_id => $user->id, app_id => $app_id, diff --git a/extensions/MozReview/Extension.pm b/extensions/MozReview/Extension.pm index 1969ade42..907f12e56 100644 --- a/extensions/MozReview/Extension.pm +++ b/extensions/MozReview/Extension.pm @@ -82,10 +82,12 @@ sub template_before_process { sub auth_delegation_confirm { my ($self, $args) = @_; my $mozreview_callback_url = Bugzilla->params->{mozreview_auth_callback_url}; + my $mozreview_app_id = Bugzilla->params->{mozreview_app_id}; return unless $mozreview_callback_url; + return unless $mozreview_app_id; - if (index($args->{callback}, $mozreview_callback_url) == 0) { + if (index($args->{callback}, $mozreview_callback_url) == 0 && $args->{app_id} eq $mozreview_app_id) { ${$args->{skip_confirmation}} = 1; } } diff --git a/template/en/default/email/new-api-key.txt.tmpl b/template/en/default/email/new-api-key.txt.tmpl index 5dc068b05..4a03fe800 100644 --- a/template/en/default/email/new-api-key.txt.tmpl +++ b/template/en/default/email/new-api-key.txt.tmpl @@ -21,7 +21,7 @@ X-Bugzilla-Type: admin [This e-mail has been automatically generated] A new [% terms.Bugzilla %] API key[% IF new_key.description %], with the -description '[% new_key.description %]'[% END %] has been created. You can view +description '[% new_key.description FILTER truncate(10) %]'[% END %] has been created. You can view or update the key at the following URL: [%+ urlbase %]userprefs.cgi?tab=apikey diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl index 2ecad03fd..33fb0123d 100644 --- a/template/en/default/global/user-error.html.tmpl +++ b/template/en/default/global/user-error.html.tmpl @@ -148,6 +148,12 @@ [% title = "Auth delegation can't be confirmed" %] Auth delegation cannot be confirmed due to missing or invalid token. + [% ELSIF error == "auth_delegation_invalid_description" %] + [% title = "Auth delegation suspicious description" %] + It looks like auth delegation was attempted with a suspicious description! + Auth Delegation descriptions should consist only of words, with no other punctuation. + You were sent here by some other site; please contact them for support. + [% ELSIF error == "auth_delegation_invalid_token" %] [% title = "Auth delegation can't be confirmed" %] Auth delegation cannot be confirmed due to missing or invalid token. -- cgit v1.2.3-24-g4f1b