phorge-phorge/src/aphront/response/base/AphrontResponse.php

<?php

/*
 * Copyright 2012 Facebook, Inc.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *   http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

/**
 * @group aphront
 */
abstract class AphrontResponse {

  private $request;
  private $cacheable = false;
  private $responseCode = 200;
  private $lastModified = null;

  protected $frameable;

  public function setRequest($request) {
    $this->request = $request;
    return $this;
  }

  public function getRequest() {
    return $this->request;
  }

  public function getHeaders() {
    $headers = array();
    if (!$this->frameable) {
      $headers[] = array('X-Frame-Options', 'Deny');
    }

    return $headers;
  }

  public function setCacheDurationInSeconds($duration) {
    $this->cacheable = $duration;
    return $this;
  }

  public function setLastModified($epoch_timestamp) {
    $this->lastModified = $epoch_timestamp;
    return $this;
  }

  public function setHTTPResponseCode($code) {
    $this->responseCode = $code;
    return $this;
  }

  public function getHTTPResponseCode() {
    return $this->responseCode;
  }

  public function setFrameable($frameable) {
    $this->frameable = $frameable;
    return $this;
  }

  protected function encodeJSONForHTTPResponse(
    array $object,
    $use_javelin_shield) {

    $response = json_encode($object);

    // Prevent content sniffing attacks by encoding "<" and ">", so browsers
    // won't try to execute the document as HTML even if they ignore
    // Content-Type and X-Content-Type-Options. See T865.
    $response = str_replace(
      array('<', '>'),
      array('\u003c', '\u003e'),
      $response);

    return $response;
  }

  protected function addJSONShield($json_response, $use_javelin_shield) {

    // Add a shield to prevent "JSON Hijacking" attacks where an attacker
    // requests a JSON response using a normal <script /> tag and then uses
    // Object.prototype.__defineSetter__() or similar to read response data.
    // This header causes the browser to loop infinitely instead of handing over
    // sensitive data.

    // TODO: This is massively stupid: Javelin and Conduit use different
    // shields.
    $shield = $use_javelin_shield
      ? 'for (;;);'
      : 'for(;;);';

    $response = $shield.$json_response;

    return $response;
  }

  public function getCacheHeaders() {
    $headers = array();
    if ($this->cacheable) {
      $headers[] = array(
        'Expires',
        $this->formatEpochTimestampForHTTPHeader(time() + $this->cacheable));
    } else {
      $headers[] = array(
        'Cache-Control',
        'private, no-cache, no-store, must-revalidate');
      $headers[] = array(
        'Expires',
        'Sat, 01 Jan 2000 00:00:00 GMT');
    }

    if ($this->lastModified) {
      $headers[] = array(
        'Last-Modified',
        $this->formatEpochTimestampForHTTPHeader($this->lastModified));
    }

    // IE has a feature where it may override an explicit Content-Type
    // declaration by inferring a content type. This can be a security risk
    // and we always explicitly transmit the correct Content-Type header, so
    // prevent IE from using inferred content types. This only offers protection
    // on recent versions of IE; IE6/7 and Opera currently ignore this header.
    $headers[] = array('X-Content-Type-Options', 'nosniff');

    return $headers;
  }

  private function formatEpochTimestampForHTTPHeader($epoch_timestamp) {
    return gmdate('D, d M Y H:i:s', $epoch_timestamp).' GMT';
  }

  abstract public function buildResponseString();

}
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`<?php`

			`/*`
Improve error message for Conduit path problems Summary: A few people in IRC have been having issues here recently. If you misconfigure the IRC bot, e.g., you get a 200 response back with a bunch of login HTML in it. This is unhelpful. Try to detect that a conduit request is going to the wrong path and raise a concise, explicit error which is comprehensible from the CLI. Also created a "PlainText" response and moved the IE nosniff header to the base response object. Test Plan: As a logged-out user, hit various nonsense with "?__conduit__=true" in the URI. Got good error messages. Hit nonsense without it, got login screens. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T775 Differential Revision: https://secure.phabricator.com/D1407 2012-01-15 11:06:13 -08:00			`* Copyright 2012 Facebook, Inc.`
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`*`
			`* Licensed under the Apache License, Version 2.0 (the "License");`
			`* you may not use this file except in compliance with the License.`
			`* You may obtain a copy of the License at`
			`*`
			`* http://www.apache.org/licenses/LICENSE-2.0`
			`*`
			`* Unless required by applicable law or agreed to in writing, software`
			`* distributed under the License is distributed on an "AS IS" BASIS,`
			`* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.`
			`* See the License for the specific language governing permissions and`
			`* limitations under the License.`
			`*/`

			`/**`
			`* @group aphront`
			`*/`
			`abstract class AphrontResponse {`

			`private $request;`
DifferentialRevisionList 2011-01-27 11:35:04 -08:00			`private $cacheable = false;`
Somewhat proper 404 page, plus HTTP response code. 2011-01-30 08:44:28 -08:00			`private $responseCode = 200;`
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`private $lastModified = null;`
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00
Add X-Frame-Options for all response Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926 2011-09-13 16:38:28 -07:00			`protected $frameable;`

Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`public function setRequest($request) {`
			`$this->request = $request;`
			`return $this;`
			`}`

			`public function getRequest() {`
			`return $this->request;`
			`}`

			`public function getHeaders() {`
Add X-Frame-Options for all response Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926 2011-09-13 16:38:28 -07:00			`$headers = array();`
			`if (!$this->frameable) {`
			`$headers[] = array('X-Frame-Options', 'Deny');`
			`}`

			`return $headers;`
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`}`
Make 404 page somewhat prettier. 2011-01-30 09:15:01 -08:00
DifferentialRevisionList 2011-01-27 11:35:04 -08:00			`public function setCacheDurationInSeconds($duration) {`
			`$this->cacheable = $duration;`
			`return $this;`
			`}`
Make 404 page somewhat prettier. 2011-01-30 09:15:01 -08:00
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`public function setLastModified($epoch_timestamp) {`
			`$this->lastModified = $epoch_timestamp;`
			`return $this;`
			`}`

Somewhat proper 404 page, plus HTTP response code. 2011-01-30 08:44:28 -08:00			`public function setHTTPResponseCode($code) {`
			`$this->responseCode = $code;`
			`return $this;`
			`}`
Make 404 page somewhat prettier. 2011-01-30 09:15:01 -08:00
Somewhat proper 404 page, plus HTTP response code. 2011-01-30 08:44:28 -08:00			`public function getHTTPResponseCode() {`
			`return $this->responseCode;`
			`}`
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00
Add X-Frame-Options for all response Summary: we use to only add X-Frame-Options for AphrontWebpageResponse. There some security concern about it. Example of a drag-drop attack: http://sites.google.com/site/tentacoloviola/. The fix is to add it to all AphrontResponse. Test Plan: View page which disalble this option still works (like the xhpast tree page); verify that the AphrontAjaxResponse contains the X-Frame-Options in the header. Reviewers: epriestley, benmathews Reviewed By: epriestley CC: nh, aran, jungejason, epriestley Differential Revision: 926 2011-09-13 16:38:28 -07:00			`public function setFrameable($frameable) {`
			`$this->frameable = $frameable;`
			`return $this;`
			`}`

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`protected function encodeJSONForHTTPResponse(`
			`array $object,`
			`$use_javelin_shield) {`

			`$response = json_encode($object);`

			`// Prevent content sniffing attacks by encoding "<" and ">", so browsers`
			`// won't try to execute the document as HTML even if they ignore`
			`// Content-Type and X-Content-Type-Options. See T865.`
			`$response = str_replace(`
			`array('<', '>'),`
			`array('\u003c', '\u003e'),`
			`$response);`

OAuth - Phabricator OAuth server and Phabricator client for new Phabricator OAuth Server Summary: adds a Phabricator OAuth server, which has three big commands: - auth - allows $user to authorize a given client or application. if $user has already authorized, it hands an authoization code back to $redirect_uri - token - given a valid authorization code, this command returns an authorization token - whoami - Conduit.whoami, all nice and purdy relative to the oauth server. Also has a "test" handler, which I used to create some test data. T850 will delete this as it adds the ability to create this data in the Phabricator product. This diff also adds the corresponding client in Phabricator for the Phabricator OAuth Server. (Note that clients are known as "providers" in the Phabricator codebase but client makes more sense relative to the server nomenclature) Also, related to make this work well - clean up the diagnostics page by variabilizing the provider-specific information and extending the provider classes as appropriate. - augment Conduit.whoami for more full-featured OAuth support, at least where the Phabricator client is concerned What's missing here... See T844, T848, T849, T850, and T852. Test Plan: - created a dummy client via the test handler. setup development.conf to have have proper variables for this dummy client. went through authorization and de-authorization flows - viewed the diagnostics page for all known oauth providers and saw provider-specific debugging information Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T44, T797 Differential Revision: https://secure.phabricator.com/D1595 2012-02-03 16:21:40 -08:00			`return $response;`
			`}`

			`protected function addJSONShield($json_response, $use_javelin_shield) {`

Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`// Add a shield to prevent "JSON Hijacking" attacks where an attacker`
			`// requests a JSON response using a normal <script /> tag and then uses`
			`// Object.prototype.__defineSetter__() or similar to read response data.`
			`// This header causes the browser to loop infinitely instead of handing over`
			`// sensitive data.`

			`// TODO: This is massively stupid: Javelin and Conduit use different`
			`// shields.`
			`$shield = $use_javelin_shield`
			`? 'for (;;);'`
			`: 'for(;;);';`

OAuth - Phabricator OAuth server and Phabricator client for new Phabricator OAuth Server Summary: adds a Phabricator OAuth server, which has three big commands: - auth - allows $user to authorize a given client or application. if $user has already authorized, it hands an authoization code back to $redirect_uri - token - given a valid authorization code, this command returns an authorization token - whoami - Conduit.whoami, all nice and purdy relative to the oauth server. Also has a "test" handler, which I used to create some test data. T850 will delete this as it adds the ability to create this data in the Phabricator product. This diff also adds the corresponding client in Phabricator for the Phabricator OAuth Server. (Note that clients are known as "providers" in the Phabricator codebase but client makes more sense relative to the server nomenclature) Also, related to make this work well - clean up the diagnostics page by variabilizing the provider-specific information and extending the provider classes as appropriate. - augment Conduit.whoami for more full-featured OAuth support, at least where the Phabricator client is concerned What's missing here... See T844, T848, T849, T850, and T852. Test Plan: - created a dummy client via the test handler. setup development.conf to have have proper variables for this dummy client. went through authorization and de-authorization flows - viewed the diagnostics page for all known oauth providers and saw provider-specific debugging information Reviewers: epriestley CC: aran, epriestley Maniphest Tasks: T44, T797 Differential Revision: https://secure.phabricator.com/D1595 2012-02-03 16:21:40 -08:00			`$response = $shield.$json_response;`
Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00
			`return $response;`
			`}`

Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`public function getCacheHeaders() {`
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`$headers = array();`
DifferentialRevisionList 2011-01-27 11:35:04 -08:00			`if ($this->cacheable) {`
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`$headers[] = array(`
			`'Expires',`
			`$this->formatEpochTimestampForHTTPHeader(time() + $this->cacheable));`
DifferentialRevisionList 2011-01-27 11:35:04 -08:00			`} else {`
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`$headers[] = array(`
			`'Cache-Control',`
			`'private, no-cache, no-store, must-revalidate');`
			`$headers[] = array(`
			`'Expires',`
			`'Sat, 01 Jan 2000 00:00:00 GMT');`
			`}`

			`if ($this->lastModified) {`
			`$headers[] = array(`
			`'Last-Modified',`
			`$this->formatEpochTimestampForHTTPHeader($this->lastModified));`
DifferentialRevisionList 2011-01-27 11:35:04 -08:00			`}`
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00
Improve Differential handling of disabled users Summary: We currently allow you to assign code review to disabled users, but should not. Test Plan: - Created revisions with no reviewers and only disabled reviewers, was appropriately warned. - Looked at a disabled user handle link, was clearly informed. - Tried to create a new revision with a disabled reviewer, was rebuffed. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D1429 2012-01-16 16:54:05 -08:00			`// IE has a feature where it may override an explicit Content-Type`
			`// declaration by inferring a content type. This can be a security risk`
			`// and we always explicitly transmit the correct Content-Type header, so`
Encode "<" and ">" in JSON/Ajax responses to prevent content-sniffing attacks Summary: Some browsers will still sniff content types even with "Content-Type" and "X-Content-Type-Options: nosniff". Encode "<" and ">" to prevent them from sniffing the content as HTML. See T865. Also unified some of the code on this pathway. Test Plan: Verified Opera no longer sniffs the Conduit response into HTML for the test case in T865. Unit tests pass. Reviewers: cbg, btrahan Reviewed By: cbg CC: aran, epriestley Maniphest Tasks: T139, T865 Differential Revision: https://secure.phabricator.com/D1606 2012-02-14 14:51:51 -08:00			`// prevent IE from using inferred content types. This only offers protection`
			`// on recent versions of IE; IE6/7 and Opera currently ignore this header.`
Improve Differential handling of disabled users Summary: We currently allow you to assign code review to disabled users, but should not. Test Plan: - Created revisions with no reviewers and only disabled reviewers, was appropriately warned. - Looked at a disabled user handle link, was clearly informed. - Tried to create a new revision with a disabled reviewer, was rebuffed. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D1429 2012-01-16 16:54:05 -08:00			`$headers[] = array('X-Content-Type-Options', 'nosniff');`
Improve error message for Conduit path problems Summary: A few people in IRC have been having issues here recently. If you misconfigure the IRC bot, e.g., you get a 200 response back with a bunch of login HTML in it. This is unhelpful. Try to detect that a conduit request is going to the wrong path and raise a concise, explicit error which is comprehensible from the CLI. Also created a "PlainText" response and moved the IE nosniff header to the base response object. Test Plan: As a logged-out user, hit various nonsense with "?__conduit__=true" in the URI. Got good error messages. Hit nonsense without it, got login screens. Reviewers: btrahan, jungejason Reviewed By: btrahan CC: aran Maniphest Tasks: T775 Differential Revision: https://secure.phabricator.com/D1407 2012-01-15 11:06:13 -08:00
Allow Celerity to return "304 Not Modified" responses Summary: We always return HTTP 200 right now and don't send a "Last-Modified" header, so browsers download more data then necessary if you sit on a page mashing reload (for example). Test Plan: Used Charles to verify HTTP response codes from 400, 404 and 304 responses. Mashed reload a bunch and saw that the server sent back 304s. Changed the resource hash seed and saw 200s, then 304s on reload. Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason, aran CC: bmaurer, aran, tuomaspelkonen Differential Revision: 253 2011-05-09 01:10:40 -07:00			`return $headers;`
			`}`

			`private function formatEpochTimestampForHTTPHeader($epoch_timestamp) {`
			`return gmdate('D, d M Y H:i:s', $epoch_timestamp).' GMT';`
Import some code, some of which may be relevant to the project. 2011-01-16 13:51:39 -08:00			`}`

			`abstract public function buildResponseString();`

			`}`