Bug 1497487 - Backport bug 767623 to BMO: Use HMAC to generate tokens and sensitive...

author Dylan William Hardison <dylan@hardison.net>

Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)

committer GitHub <noreply@github.com>

Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)
author Dylan William Hardison <dylan@hardison.net>
Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)
committer GitHub <noreply@github.com>
Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)
diff --git a/Bugzilla/Token.pm b/Bugzilla/Token.pm

index 4b12f836b22beb7f786cd2d207eaad4bd82b5aa7..8e51db45db7ac8c6629662a4a66c6749f8ba3c77 100644 (file)
--- a/Bugzilla/Token.pm
+++ b/Bugzilla/Token.pm
@@ -20,7 +20,6 @@ use Bugzilla::User;
  use Date::Format;
  use Date::Parse;
  use File::Basename;
-use Digest::MD5 qw(md5_hex);
  use Digest::SHA qw(hmac_sha256_base64);
  use Encode;
  use JSON qw(encode_json decode_json);
@@ -254,15 +253,15 @@ sub issue_hash_token {
      my $user_id = Bugzilla->user->id || remote_ip();
  
      # The concatenated string is of the form
-    # token creation time + site-wide secret + user ID (either ID or remote IP) + data
-    my @args = ($time, Bugzilla->localconfig->{'site_wide_secret'}, $user_id, @$data);
+    # token creation time + user ID (either ID or remote IP) + data
+    my @args = ($time, $user_id, @$data);
  
      my $token = join('*', @args);
-    # Wide characters cause md5_hex() to die.
-    if (Bugzilla->params->{'utf8'}) {
-        utf8::encode($token) if utf8::is_utf8($token);
-    }
-    $token = md5_hex($token);
+    # $token needs to be a byte string.
+    utf8::encode($token);
+    $token = hmac_sha256_base64($token, Bugzilla->localconfig->{'site_wide_secret'});
+    $token =~ s/\+/-/g;
+    $token =~ s/\//_/g;
  
      # Prepend the token creation time, unencrypted, so that the token
      # lifetime can be validated.
diff --git a/reports.cgi b/reports.cgi

index 1633e37ca8fb26f4550f20977ad182ba71bf1dde..cd24e1ee3bfe815261770902ad89f77b20bd1c2c 100755 (executable)
--- a/reports.cgi
+++ b/reports.cgi
@@ -19,7 +19,7 @@ use Bugzilla::Error;
  use Bugzilla::Status;
  
  use File::Basename;
-use Digest::MD5 qw(md5_hex);
+use Digest::SHA qw(hmac_sha256_base64);
  
  # If we're using bug groups for products, we should apply those restrictions
  # to viewing reports, as well.  Time to check the login in that case.
@@ -90,14 +90,12 @@ else {
      # Filenames must not be guessable as they can point to products
      # you are not allowed to see. Also, different projects can have
      # the same product names.
-    my $key = Bugzilla->localconfig->{'site_wide_secret'};
      my $project = bz_locations()->{'project'} || '';
-    my $image_file =  join(':', ($key, $project, $prod_id, @datasets));
-    # Wide characters cause md5_hex() to die.
-    if (Bugzilla->params->{'utf8'}) {
-        utf8::encode($image_file) if utf8::is_utf8($image_file);
-    }
-    $image_file = md5_hex($image_file) . '.png';
+    my $image_file =  join(':', ($project, $prod_id, @datasets));
+    my $key = Bugzilla->localconfig->{'site_wide_secret'};
+    $image_file = hmac_sha256_base64($image_file, $key) . '.png';
+    $image_file =~ s/\+/-/g;
+    $image_file =~ s/\//_/g;
      trick_taint($image_file);
  
      if (! -e "$graph_dir/$image_file") {
author	Dylan William Hardison <dylan@hardison.net>
	Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)
committer	GitHub <noreply@github.com>
	Fri, 12 Oct 2018 02:47:24 +0000 (22:47 -0400)
Bugzilla/Token.pm		patch \| blob \| blame \| history
reports.cgi		patch \| blob \| blame \| history