User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:31.0) Gecko/20100101 Firefox/31.0 Build ID: 20150320201757 Steps to reproduce: On logging in to Bugzilla at https://bugzilla.mozilla.org/index.cgi?GoAheadAndLogIn=1 for the first time in years. . . . I received this message: Your password is currently less than 8 characters long, which is the new minimum length required for passwords. You must request a new password in order to log in again. Actual results: Okay, fair, so I clicked on “request a new password,” which gave me: It looks like you didn't come from the right page. One reason could be that you entered the URL in the address bar of your web browser directly, which should be safe. Another reason could be that you clicked on a URL which redirected you here without your consent. Are you sure you want to commit these changes? Expected results: Bugzilla should trust bugzilla.
Bug introduced with fix to previous bug: https://bugzilla.mozilla.org/show_bug.cgi?id=1009013
Not reproducible upstream. But bmo backported this feature, so they probably missed some other related fixes.
actually bmo isn't carrying the changes from bug 1009013, but we have backported csrf token fixes which is likely the cause of this issue. backporting bug 1009013 should fix this as it adds the missing token to the link in the error.
this was a trivial straight backport. To ssh://email@example.com/webtools/bmo/bugzilla.git 48c23b1..d4a53a6 master -> master