From 9cc89d34f79d1a326e5c792722163d5908a97c13 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:12:31 -0500
Subject: Bug 1254227 - MozReview auth delegation allows sending out phishing
 mails via Bugzilla

---
 auth.cgi | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

(limited to 'auth.cgi')

diff --git a/auth.cgi b/auth.cgi
index f069e3aec..49edd6abe 100755
--- a/auth.cgi
+++ b/auth.cgi
@@ -39,14 +39,19 @@ my $description = $cgi->param('description') or ThrowUserError("auth_delegation_
 trick_taint($callback);
 trick_taint($description);
 
+ThrowUserError("auth_delegation_invalid_description")
+  unless $description =~ /^[\w\s]{3,255}$/;
+
 my $callback_uri  = URI->new($callback);
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
+my $app_id = sha256_hex($callback_base, $description);
 my $skip_confirmation = 0;
 my %args = ( skip_confirmation => \$skip_confirmation,
              callback          => $callback_uri,
              description       => $description,
+             app_id            => $app_id,
              callback_base     => $callback_base );
 
 Bugzilla::Hook::process('auth_delegation_confirm', \%args);
@@ -64,7 +69,6 @@ if ($confirmed || $skip_confirmation) {
                            { token => $token, callback => $callback });
         }
     }
-    my $app_id = sha256_hex($callback_base, $description);
     my $keys = Bugzilla::User::APIKey->match({
         user_id => $user->id,
         app_id  => $app_id,
-- 
cgit v1.2.3-24-g4f1b