From 9cc89d34f79d1a326e5c792722163d5908a97c13 Mon Sep 17 00:00:00 2001
From: Dylan Hardison <dylan@mozilla.com>
Date: Wed, 9 Mar 2016 22:12:31 -0500
Subject: Bug 1254227 - MozReview auth delegation allows sending out phishing
 mails via Bugzilla

---
 extensions/MozReview/Extension.pm | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

(limited to 'extensions/MozReview')

diff --git a/extensions/MozReview/Extension.pm b/extensions/MozReview/Extension.pm
index 1969ade42..907f12e56 100644
--- a/extensions/MozReview/Extension.pm
+++ b/extensions/MozReview/Extension.pm
@@ -82,10 +82,12 @@ sub template_before_process {
 sub auth_delegation_confirm {
     my ($self, $args) = @_;
     my $mozreview_callback_url = Bugzilla->params->{mozreview_auth_callback_url};
+    my $mozreview_app_id       = Bugzilla->params->{mozreview_app_id};
 
     return unless $mozreview_callback_url;
+    return unless $mozreview_app_id;
 
-    if (index($args->{callback}, $mozreview_callback_url) == 0) {
+    if (index($args->{callback}, $mozreview_callback_url) == 0 && $args->{app_id} eq $mozreview_app_id) {
         ${$args->{skip_confirmation}} = 1;
     }
 }
-- 
cgit v1.2.3-24-g4f1b