Bug 1254227 - MozReview auth delegation allows sending out phishing mails via Bugzilla

diff --git a/auth.cgi b/auth.cgi
index f069e3aec29f435e74a28c5bd0de8ef62eb2753a..49edd6abe46257256537fb971c3aa44f08edcd39 100755 (executable)
--- a/auth.cgi
+++ b/auth.cgi
@@ -39,14 +39,19 @@ my $description = $cgi->param('description') or ThrowUserError("auth_delegation_
 trick_taint($callback);
 trick_taint($description);
 
+ThrowUserError("auth_delegation_invalid_description")
+  unless $description =~ /^[\w\s]{3,255}$/;
+
 my $callback_uri  = URI->new($callback);
 my $callback_base = $callback_uri->clone;
 $callback_base->query(undef);
 
+my $app_id = sha256_hex($callback_base, $description);
 my $skip_confirmation = 0;
 my %args = ( skip_confirmation => \$skip_confirmation,
              callback          => $callback_uri,
              description       => $description,
+             app_id            => $app_id,
              callback_base     => $callback_base );
 
 Bugzilla::Hook::process('auth_delegation_confirm', \%args);
@@ -64,7 +69,6 @@ if ($confirmed || $skip_confirmation) {
                            { token => $token, callback => $callback });
         }
     }
-    my $app_id = sha256_hex($callback_base, $description);
     my $keys = Bugzilla::User::APIKey->match({
         user_id => $user->id,
         app_id  => $app_id,

diff --git a/extensions/MozReview/Extension.pm b/extensions/MozReview/Extension.pm
index 1969ade4225760686ec0fac0bb76f17ce55c454f..907f12e56383186b7c429d7adce176a9fd6798d0 100644 (file)
--- a/extensions/MozReview/Extension.pm
+++ b/extensions/MozReview/Extension.pm
@@ -82,10 +82,12 @@ sub template_before_process {
 sub auth_delegation_confirm {
     my ($self, $args) = @_;
     my $mozreview_callback_url = Bugzilla->params->{mozreview_auth_callback_url};
+    my $mozreview_app_id       = Bugzilla->params->{mozreview_app_id};
 
     return unless $mozreview_callback_url;
+    return unless $mozreview_app_id;
 
-    if (index($args->{callback}, $mozreview_callback_url) == 0) {
+    if (index($args->{callback}, $mozreview_callback_url) == 0 && $args->{app_id} eq $mozreview_app_id) {
         ${$args->{skip_confirmation}} = 1;
     }
 }

diff --git a/template/en/default/email/new-api-key.txt.tmpl b/template/en/default/email/new-api-key.txt.tmpl
index 5dc068b05a40e381247f9f529f8fbfde51383fd8..4a03fe80096b5424505b8e40f0d0a86f3c639d46 100644 (file)
--- a/template/en/default/email/new-api-key.txt.tmpl
+++ b/template/en/default/email/new-api-key.txt.tmpl
@@ -21,7 +21,7 @@ X-Bugzilla-Type: admin
 [This e-mail has been automatically generated]
 
 A new [% terms.Bugzilla %] API key[% IF new_key.description %], with the
-description '[% new_key.description %]'[% END %] has been created. You can view
+description '[% new_key.description FILTER truncate(10) %]'[% END %] has been created. You can view
 or update the key at the following URL:
 
 [%+ urlbase %]userprefs.cgi?tab=apikey

diff --git a/template/en/default/global/user-error.html.tmpl b/template/en/default/global/user-error.html.tmpl
index 2ecad03fd5d1fe7502b7c7b65c046219c2ae94ea..33fb0123ded0818b7d4364adad3daaa8ff216c2e 100644 (file)
--- a/template/en/default/global/user-error.html.tmpl
+++ b/template/en/default/global/user-error.html.tmpl
@@ -148,6 +148,12 @@
     [% title = "Auth delegation can't be confirmed" %]
     Auth delegation cannot be confirmed due to missing or invalid token.
 
+  [% ELSIF error == "auth_delegation_invalid_description" %]
+    [% title = "Auth delegation suspicious description" %]
+    It looks like auth delegation was attempted with a suspicious description!
+    Auth Delegation descriptions should consist only of words, with no other punctuation.
+    You were sent here by some other site; please contact them for support.
+
   [% ELSIF error == "auth_delegation_invalid_token" %]
     [% title = "Auth delegation can't be confirmed" %]
     Auth delegation cannot be confirmed due to missing or invalid token.