From 534fc2123e40b7517aeaffd709faf72af97ac3b8 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Thu, 5 Nov 2015 00:28:14 -0500
Subject: Bug 1196743 - Fix information disclosure vulnerability that allows
 attacker to obtain victim's GitHub OAuth return code

---
 Bugzilla/Auth/Persist/Cookie.pm |  2 ++
 Bugzilla/CGI.pm                 | 28 ++++++++++++++++++++++++++++
 Bugzilla/Token.pm               |  2 +-
 3 files changed, 31 insertions(+), 1 deletion(-)

(limited to 'Bugzilla')

diff --git a/Bugzilla/Auth/Persist/Cookie.pm b/Bugzilla/Auth/Persist/Cookie.pm
index 4adb00f96..fd910b118 100644
--- a/Bugzilla/Auth/Persist/Cookie.pm
+++ b/Bugzilla/Auth/Persist/Cookie.pm
@@ -90,6 +90,8 @@ sub persist_login {
         $cookieargs{'-secure'} = 1;
     }
 
+    $cgi->remove_cookie('github_secret');
+    $cgi->remove_cookie('Bugzilla_login_request_cookie');
     $cgi->send_cookie(-name => 'Bugzilla_login',
                       -value => $user->id,
                       %cookieargs);
diff --git a/Bugzilla/CGI.pm b/Bugzilla/CGI.pm
index a5a1afc5c..4deb5aa52 100644
--- a/Bugzilla/CGI.pm
+++ b/Bugzilla/CGI.pm
@@ -31,6 +31,7 @@ use Bugzilla::Util;
 use Bugzilla::Search::Recent;
 
 use File::Basename;
+use URI;
 
 BEGIN {
     if (ON_WINDOWS) {
@@ -125,6 +126,21 @@ sub new {
     return $self;
 }
 
+sub target_uri {
+    my ($self) = @_;
+
+    my $base = correct_urlbase();
+    if (my $request_uri = $self->request_uri) {
+        my $base_uri = URI->new($base);
+        $base_uri->path('');
+        $base_uri->query(undef);
+        return $base_uri . $request_uri;
+    }
+    else {
+        return $base . ($self->url(-relative => 1, -query => 1) || 'index.cgi');
+    }
+}
+
 # We want this sorted plus the ability to exclude certain params
 sub canonicalise_query {
     my ($self, @exclude) = @_;
@@ -355,6 +371,16 @@ sub header {
                            %args);
     }
 
+    # We generate a cookie and store it in the request cache
+    # To initiate github login, a form POSTs to github.cgi with the
+    # github_secret as a parameter. It must match the github_secret cookie.
+    # this prevents some types of redirection attacks.
+    unless ($user->id) {
+        $self->send_cookie(-name     => 'github_secret',
+                           -value    => Bugzilla->github_secret,
+                           -httponly => 1);
+    }
+
     # Add the cookies in if we have any
     if (scalar(@{$self->{Bugzilla_cookie_list}})) {
         unshift(@_, '-cookie' => $self->{Bugzilla_cookie_list});
@@ -475,6 +501,8 @@ sub send_cookie {
     $paramhash{'-path'} = Bugzilla->params->{'cookiepath'};
     $paramhash{'-domain'} = Bugzilla->params->{'cookiedomain'}
         if Bugzilla->params->{'cookiedomain'};
+    $paramhash{'-secure'} = 1
+        if Bugzilla->params->{'ssl_redirect'};
 
     # Move the param list back into an array for the call to cookie().
     foreach (keys(%paramhash)) {
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm
index 3c5261821..6e3095549 100644
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -237,7 +237,7 @@ sub issue_short_lived_session_token {
     # the token to the caller.
 
     $user //= Bugzilla->user;
-    return _create_token($user->id, 'session.short', $data);
+    return _create_token($user->id ? $user->id : undef, 'session.short', $data);
 }
 
 sub issue_hash_token {
-- 
cgit v1.2.3-24-g4f1b