From 534fc2123e40b7517aeaffd709faf72af97ac3b8 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Thu, 5 Nov 2015 00:28:14 -0500
Subject: Bug 1196743 - Fix information disclosure vulnerability that allows
 attacker to obtain victim's GitHub OAuth return code

---
 .../hook/account/auth/login-additional_methods.html.tmpl     | 10 ++++++----
 .../account/auth/login-small-additional_methods.html.tmpl    | 12 ++++++++----
 .../en/default/hook/global/code-error-errors.html.tmpl       | 12 +++++++-----
 3 files changed, 21 insertions(+), 13 deletions(-)

(limited to 'extensions/GitHubAuth/template/en')

diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
index 26eb8d63b..609b86159 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-additional_methods.html.tmpl
@@ -5,14 +5,16 @@
   # This Source Code Form is "Incompatible With Secondary Licenses", as
   # defined by the Mozilla Public License, v. 2.0.
   #%]
-
+[% USE Bugzilla %]
 [% IF Param('user_info_class').split(',').contains('GitHubAuth') %]
   <p>
-    <a href="[% github_auth.login FILTER html %]">
-      <img src="extensions/GitHubAuth/web/images/github_sign_in.png"
+    <form method="post" action="[% urlbase FILTER html %]github.cgi">
+      <input type="hidden" name="github_secret" value="[% Bugzilla.github_secret FILTER html %]">
+      <input type="hidden" name="target_uri" value="[% Bugzilla.cgi.target_uri FILTER html %]">
+      <input type="image" src="extensions/GitHubAuth/web/images/github_sign_in.png"
            alt="Sign in with GitHub"
            title="Sign in with GitHub"
            width="185" height="25">
-    </a>
+    </form>
   </p>
 [% END %]
diff --git a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
index 6c4582b70..f32b34a59 100644
--- a/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/account/auth/login-small-additional_methods.html.tmpl
@@ -5,6 +5,7 @@
   # This Source Code Form is "Incompatible With Secondary Licenses", as
   # defined by the Mozilla Public License, v. 2.0.
   #%]
+[% USE Bugzilla %]
 
 [% IF Param('user_info_class').split(',').contains('GitHubAuth') %]
   <script type="text/javascript">
@@ -18,9 +19,12 @@
    });
   </script>
   <span id="github_mini_login[% qs_suffix FILTER html %]" class="bz_default_hidden">
-    <a href="[% github_auth.login FILTER html %]">
-      <img src="extensions/GitHubAuth/web/images/sign_in.png" height="22" width="75" align="absmiddle"
-           alt="Sign in with GitHub"
-           title="Sign in with GitHub"></a> or
+    <form method="post" action="[% urlbase FILTER html %]github.cgi">
+      <input type="hidden" name="github_secret" value="[% Bugzilla.github_secret FILTER html %]">
+      <input type="hidden" name="target_uri" value="[% Bugzilla.cgi.target_uri FILTER html %]">
+        <input type="image" src="extensions/GitHubAuth/web/images/sign_in.png" height="22" width="75" align="absmiddle"
+             alt="Sign in with GitHub"
+             title="Sign in with GitHub"></a> or
+    </form>
   </span>
 [% END %]
diff --git a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
index 5f6672e2b..aaf9b6fa3 100644
--- a/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
+++ b/extensions/GitHubAuth/template/en/default/hook/global/code-error-errors.html.tmpl
@@ -6,11 +6,7 @@
   # defined by the Mozilla Public License, v. 2.0.
   #%]
 
-[% IF error == "github_invalid_state" %]
-  [% title = "Invalid State Parameter" %]
-  An invalid <em>state</em> parameter was passed to the GitHub OAuth2 callback.
-
-[% ELSIF error == "github_missing_code" %]
+[% IF error == "github_missing_code" %]
   [% title = "Missing GitHub Auth Code" %]
   Expected a <em>code</em> parameter in the GitHub OAuth2 callback.
 
@@ -22,4 +18,10 @@
   [% title = "GitHub Error" %]
   GitHub returned an error: [% response.message FILTER html %]
 
+[% ELSIF error == "github_invalid_target" %]
+  [% terms.Bugzilla %] cannot log you into an external site via GitHub.
+
+[% ELSIF error == "github_invalid_request" %]
+  Invalid GitHub log in attempt (reason: [% reason FILTER html %])
+
 [% END %]
-- 
cgit v1.2.3-24-g4f1b