From ede3ced0fa2b76a5fcf8770eee29a2e23d5189a9 Mon Sep 17 00:00:00 2001
From: Byron Jones <glob@mozilla.com>
Date: Tue, 4 Nov 2014 22:40:34 +0800
Subject: Bug 1093622: Backout bug 1090427 for causing: authenticated calls
 from bzapi are failing: 'Untrusted Authentication Request'

---
 Bugzilla/Auth/Login/CGI.pm | 41 ++++-------------------------------------
 1 file changed, 4 insertions(+), 37 deletions(-)

(limited to 'Bugzilla/Auth/Login/CGI.pm')

diff --git a/Bugzilla/Auth/Login/CGI.pm b/Bugzilla/Auth/Login/CGI.pm
index 12b59d68b..8e877b951 100644
--- a/Bugzilla/Auth/Login/CGI.pm
+++ b/Bugzilla/Auth/Login/CGI.pm
@@ -37,52 +37,19 @@ use Bugzilla::Constants;
 use Bugzilla::WebService::Constants;
 use Bugzilla::Util;
 use Bugzilla::Error;
-use Bugzilla::Token;
 
 sub get_login_info {
     my ($self) = @_;
     my $params = Bugzilla->input_params;
-    my $cgi = Bugzilla->cgi;
-
-    my $login = trim(delete $params->{'Bugzilla_login'});
-    my $password = delete $params->{'Bugzilla_password'};
-    # The token must match the cookie to authenticate the request.
-    my $login_token = delete $params->{'Bugzilla_login_token'};
-    my $login_cookie = $cgi->cookie('Bugzilla_login_request_cookie');
 
-    my $valid = 0;
-    # If the web browser accepts cookies, use them.
-    if ($login_token && $login_cookie) {
-        my ($time, undef) = split(/-/, $login_token);
-        # Regenerate the token based on the information we have.
-        my $expected_token = issue_hash_token(['login_request', $login_cookie], $time);
-        $valid = 1 if $expected_token eq $login_token;
-        $cgi->remove_cookie('Bugzilla_login_request_cookie');
-    }
-    # WebServices and other local scripts can bypass this check.
-    # This is safe because we won't store a login cookie in this case.
-    elsif (Bugzilla->usage_mode != USAGE_MODE_BROWSER) {
-        $valid = 1;
-    }
-    # Else falls back to the Referer header and accept local URLs.
-    # Attachments are served from a separate host (ideally), and so
-    # an evil attachment cannot abuse this check with a redirect.
-    elsif (my $referer = $cgi->referer) {
-        my $urlbase = correct_urlbase();
-        $valid = 1 if $referer =~ /^\Q$urlbase\E/;
-    }
-    # If the web browser doesn't accept cookies and the Referer header
-    # is missing, we have no way to make sure that the authentication
-    # request comes from the user.
-    elsif ($login && $password) {
-        ThrowUserError('auth_untrusted_request', { login => $login });
-    }
+    my $username = trim(delete $params->{"Bugzilla_login"});
+    my $password = delete $params->{"Bugzilla_password"};
 
-    if (!$login || !$password || !$valid) {
+    if (!defined $username || !defined $password) {
         return { failure => AUTH_NODATA };
     }
 
-    return { username => $login, password => $password };
+    return { username => $username, password => $password };
 }
 
 sub fail_nodata {
-- 
cgit v1.2.3-24-g4f1b