From 534fc2123e40b7517aeaffd709faf72af97ac3b8 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Thu, 5 Nov 2015 00:28:14 -0500
Subject: Bug 1196743 - Fix information disclosure vulnerability that allows
 attacker to obtain victim's GitHub OAuth return code

---
 Bugzilla.pm | 10 ++++++++++
 1 file changed, 10 insertions(+)

(limited to 'Bugzilla.pm')

diff --git a/Bugzilla.pm b/Bugzilla.pm
index 96f7cd0d2..a219d5bde 100644
--- a/Bugzilla.pm
+++ b/Bugzilla.pm
@@ -353,6 +353,16 @@ sub page_requires_login {
     return $_[0]->request_cache->{page_requires_login};
 }
 
+sub github_secret {
+    my ($class) = @_;
+    my $cache = $class->request_cache;
+    my $cgi   = $class->cgi;
+
+    $cache->{github_secret} //= $cgi->cookie('github_secret') // generate_random_password(16);
+
+    return $cache->{github_secret};
+}
+
 sub login {
     my ($class, $type) = @_;
 
-- 
cgit v1.2.3-24-g4f1b