Closed
Bug 1424408
Opened 7 years ago
Closed 7 years ago
"Sign in with GitHub" button triggers a bugzilla security error, if I'm viewing a page with e.g. "t="
Categories
(bugzilla.mozilla.org :: Extensions, defect)
Tracking
()
VERIFIED
FIXED
People
(Reporter: dholbert, Unassigned)
Details
Attachments
(2 files)
STR: 1. Visit this link, in a fresh profile: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=SVG 2. Click the "Sign in with GitHub" button ACTUAL RESULTS: You get taken to an error page: > Bugzilla has suffered an internal error: > Bugzilla prevented you from logging in from a page > containing private information. EXPECTED RESULTS: I should've been redirected to the GitHub login form. This works correctly from pages like https://bugzilla.mozilla.org/enter_bug.cgi ...but not if I try to pre-enter the product & component like: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=SVG I'm guessing this is some "did you accidentally give us your github username/password" logic, which has gone haywire/extra-severe?
Reporter | ||
Comment 1•7 years ago
|
||
Background: I just got an emailed report of an SVG bug, and I replied asking the person to file a bug at this URL: https://bugzilla.mozilla.org/enter_bug.cgi?product=Core&component=SVG ...and I told them they could even log in with a GitHub-login-flow if they don't want to bother creating a Bugzilla account. (intending to save them a little time / mental burden) Little did I know, this turned out to actually be a footgun. :D hence, this bug.
Comment 2•7 years ago
|
||
So the fellow that ported this to upstream actually pointed this out last week, we're matching against the 't' in component there. It'll be fixed next push.
Updated•7 years ago
|
Assignee: nobody → dylan
Comment 3•7 years ago
|
||
Reporter | ||
Comment 4•7 years ago
|
||
Reporter | ||
Comment 5•7 years ago
|
||
Wow! Was not expecting to see a patch before I could even capture & attach a screencast. :D Thanks!
Updated•7 years ago
|
Summary: "Sign in with GitHub" button triggers a bugzilla security error, if I'm viewing a page with e.g. "&product=Core&component=SVG" in the URL → "Sign in with GitHub" button triggers a bugzilla security error, if I'm viewing a page with e.g. "t="
Comment 6•7 years ago
|
||
Comment on attachment 8935933 [details] [review] PR r=dkl
Attachment #8935933 -
Flags: review+
Updated•7 years ago
|
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 7•7 years ago
|
||
Verified fixed. STR now take me to a github login page, as expected. Thanks!
Status: RESOLVED → VERIFIED
Updated•5 years ago
|
Assignee: dylan → nobody
Component: Extensions: GitHubAuth → Extensions
You need to log in
before you can comment on or make changes to this bug.
Description
•