From d6848c8d142397f8a4e96c3edda8de5e1ac1ef05 Mon Sep 17 00:00:00 2001
From: Keith Mitchell <kemitche@reddit.com>
Date: Mon, 14 Apr 2014 11:16:46 -0700
Subject: [PATCH] [OAuth2] Don't send unnecessary modhash to OAuth clients

---
 r2/r2/models/account.py | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/r2/r2/models/account.py b/r2/r2/models/account.py
index 62294cfd5..446c1b0ba 100644
--- a/r2/r2/models/account.py
+++ b/r2/r2/models/account.py
@@ -273,6 +273,11 @@ class Account(Thing):
         return not g.disable_captcha and self.link_karma < 1
 
     def modhash(self, rand=None, test=False):
+        if c.oauth_user:
+            # OAuth clients should never receive a modhash of any kind
+            # as they could use it in a CSRF attack to bypass their
+            # permitted OAuth scopes.
+            return None
         return modhash(self, rand = rand, test = test)
     
     def valid_hash(self, hash):