From: Dylan William Hardison <dylan@mozilla.com>
Date: Tue, 3 May 2016 13:59:02 +0000 (+0000)
Subject: Bug 1268989 - Inefficient check of "Bugzilla_api_token" might lead to CSRF/data discl... 
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=240e77d0bb966707fe63e21e25eea02998b8c4a0;p=thirdparty%2Fbugzilla.git

Bug 1268989 - Inefficient check of "Bugzilla_api_token" might lead to CSRF/data disclosure vulnerability in Bugzilla's REST API
r=dkl
---

diff --git a/Bugzilla/Auth/Login/Cookie.pm b/Bugzilla/Auth/Login/Cookie.pm
index b67fb73db4..d8bf2f08f8 100644
--- a/Bugzilla/Auth/Login/Cookie.pm
+++ b/Bugzilla/Auth/Login/Cookie.pm
@@ -55,15 +55,7 @@ sub get_login_info {
         # If the call is for a web service, and an api token is provided, check
         # it is valid.
         if (i_am_webservice()) {
-            if ($login_cookie
-                && Bugzilla->usage_mode == USAGE_MODE_REST
-                && !exists Bugzilla->input_params->{Bugzilla_api_token})
-            {
-                # REST requires an api-token when using cookie authentication
-                # fall back to a non-authenticated request
-                $login_cookie = '';
-
-            } elsif (Bugzilla->input_params->{Bugzilla_api_token}) {
+            if (exists Bugzilla->input_params->{Bugzilla_api_token}) {
                 my $api_token = Bugzilla->input_params->{Bugzilla_api_token};
                 my ($token_user_id, undef, undef, $token_type)
                     = Bugzilla::Token::GetTokenData($api_token);
@@ -74,6 +66,11 @@ sub get_login_info {
                     ThrowUserError('auth_invalid_token', { token => $api_token });
                 }
             }
+            elsif ($login_cookie && Bugzilla->usage_mode == USAGE_MODE_REST) {
+                # REST requires an api-token when using cookie authentication
+                # fall back to a non-authenticated request
+                $login_cookie = '';
+            }
         }
     }