From 589ec37a32d8687d612eedd107748b7afadd07fd Mon Sep 17 00:00:00 2001 From: Dylan William Hardison Date: Tue, 11 Aug 2015 11:57:30 -0400 Subject: Bug 1190693 - Backport bug 1175643 to bmo for safer auth delegation --- auth.cgi | 35 +++++++++++++++++++++++++++++++---- 1 file changed, 31 insertions(+), 4 deletions(-) (limited to 'auth.cgi') diff --git a/auth.cgi b/auth.cgi index dcce5c458..c5dae77de 100755 --- a/auth.cgi +++ b/auth.cgi @@ -23,6 +23,8 @@ use Bugzilla::Mailer qw(MessageToMTA); use URI; use URI::QueryParam; use Digest::SHA qw(sha256_hex); +use LWP::UserAgent (); +use JSON qw(decode_json encode_json); Bugzilla->login(LOGIN_REQUIRED); @@ -88,10 +90,35 @@ if ($confirmed || $skip_confirmation) { MessageToMTA($message); } - $callback_uri->query_param(client_api_key => $api_key->api_key); - $callback_uri->query_param(client_api_login => $user->login); - - print $cgi->redirect($callback_uri); + my $ua = LWP::UserAgent->new(); + $ua->timeout(2); + $ua->protocols_allowed(['http', 'https']); + # If the URL of the proxy is given, use it, else get this information + # from the environment variable. + if (my $proxy_url = Bugzilla->params->{'proxy_url'}) { + $ua->proxy(['http', 'https'], $proxy_url); + } + else { + $ua->env_proxy; + } + my $content = encode_json({ client_api_key => $api_key->api_key, + client_api_login => $user->login }); + my $resp = $ua->post($callback_uri, + 'Content-Type' => 'application/json', + Content => $content); + if ($resp->code == 200) { + $callback_uri->query_param(client_api_login => $user->login); + eval { + my $data = decode_json($resp->content); + $callback_uri->query_param(callback_result => $data->{result}); + }; + ThrowUserError('auth_delegation_json_error', { json_text => $resp->content }) if $@; + + print $cgi->redirect($callback_uri); + } + else { + ThrowUserError('auth_delegation_post_error', { code => $resp->code }); + } } else { $args{token} = issue_auth_delegation_token($callback); -- cgit v1.2.3-24-g4f1b