2011-01-25 18:59:31 +01:00
|
|
|
<?php
|
|
|
|
|
|
|
|
/*
|
2012-03-20 03:21:10 +01:00
|
|
|
* Copyright 2012 Facebook, Inc.
|
2011-01-25 18:59:31 +01:00
|
|
|
*
|
|
|
|
* Licensed under the Apache License, Version 2.0 (the "License");
|
|
|
|
* you may not use this file except in compliance with the License.
|
|
|
|
* You may obtain a copy of the License at
|
|
|
|
*
|
|
|
|
* http://www.apache.org/licenses/LICENSE-2.0
|
|
|
|
*
|
|
|
|
* Unless required by applicable law or agreed to in writing, software
|
|
|
|
* distributed under the License is distributed on an "AS IS" BASIS,
|
|
|
|
* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
|
|
* See the License for the specific language governing permissions and
|
|
|
|
* limitations under the License.
|
|
|
|
*/
|
|
|
|
|
2011-05-28 01:39:34 +02:00
|
|
|
error_reporting(E_ALL | E_STRICT);
|
|
|
|
ini_set('display_errors', 1);
|
|
|
|
|
2011-01-25 18:59:31 +01:00
|
|
|
$include_path = ini_get('include_path');
|
2012-04-06 08:50:55 +02:00
|
|
|
ini_set(
|
|
|
|
'include_path',
|
|
|
|
$include_path.PATH_SEPARATOR.dirname(__FILE__).'/../../');
|
2012-03-20 03:21:10 +01:00
|
|
|
@include_once 'libphutil/scripts/__init_script__.php';
|
2011-01-25 18:59:31 +01:00
|
|
|
if (!@constant('__LIBPHUTIL__')) {
|
|
|
|
echo "ERROR: Unable to load libphutil. Update your PHP 'include_path' to ".
|
|
|
|
"include the parent directory of libphutil/.\n";
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
phutil_load_library(dirname(__FILE__).'/../src/');
|
Create AphrontWriteGuard, a backup mechanism for CSRF validation
Summary:
Provide a catchall mechanism to find unprotected writes.
- Depends on D758.
- Similar to WriteOnHTTPGet stuff from Facebook's stack.
- Since we have a small number of storage mechanisms and highly structured
read/write pathways, we can explicitly answer the question "is this page
performing a write?".
- Never allow writes without CSRF checks.
- This will probably break some things. That's fine: they're CSRF
vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
for a few days unless you're prepared to deal with this.
- **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
<<<**
Test Plan:
- Ran some scripts that perform writes (scripts/search indexers), no issues.
- Performed normal CSRF submits.
- Added writes to an un-CSRF'd page, got an exception.
- Executed conduit methods.
- Did login/logout (this works because the logged-out user validates the
logged-out csrf "token").
- Did OAuth login.
- Did OAuth registration.
Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
codeblock
Commenters: pedram
CC: aran, epriestley, pedram
Differential Revision: 777
2011-08-03 20:49:27 +02:00
|
|
|
|
|
|
|
// NOTE: This is dangerous in general, but we know we're in a script context and
|
|
|
|
// are not vulnerable to CSRF.
|
|
|
|
AphrontWriteGuard::allowDangerousUnguardedWrites(true);
|
2011-10-01 17:59:42 +02:00
|
|
|
|
|
|
|
require_once dirname(dirname(__FILE__)).'/conf/__init_conf__.php';
|
|
|
|
|
|
|
|
$env = isset($_SERVER['PHABRICATOR_ENV'])
|
|
|
|
? $_SERVER['PHABRICATOR_ENV']
|
|
|
|
: getenv('PHABRICATOR_ENV');
|
|
|
|
if (!$env) {
|
|
|
|
echo "Define PHABRICATOR_ENV before running this script.\n";
|
|
|
|
exit(1);
|
|
|
|
}
|
|
|
|
|
|
|
|
$conf = phabricator_read_config_file($env);
|
|
|
|
$conf['phabricator.env'] = $env;
|
|
|
|
|
|
|
|
phutil_require_module('phabricator', 'infrastructure/env');
|
|
|
|
PhabricatorEnv::setEnvConfig($conf);
|
|
|
|
|
|
|
|
phutil_load_library('arcanist/src');
|
|
|
|
|
|
|
|
foreach (PhabricatorEnv::getEnvConfig('load-libraries') as $library) {
|
|
|
|
phutil_load_library($library);
|
|
|
|
}
|
|
|
|
|
|
|
|
PhutilErrorHandler::initialize();
|
|
|
|
PhabricatorEventEngine::initialize();
|
|
|
|
|
|
|
|
$tz = PhabricatorEnv::getEnvConfig('phabricator.timezone');
|
|
|
|
if ($tz) {
|
|
|
|
date_default_timezone_set($tz);
|
|
|
|
}
|