2012-07-19 18:03:10 +02:00
|
|
|
<?php
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
final class PhameBlog extends PhameDAO
|
2015-06-03 23:24:21 +02:00
|
|
|
implements
|
|
|
|
PhabricatorPolicyInterface,
|
|
|
|
PhabricatorMarkupInterface,
|
2015-07-22 16:00:36 +02:00
|
|
|
PhabricatorSubscribableInterface,
|
2015-07-22 16:04:21 +02:00
|
|
|
PhabricatorFlaggableInterface,
|
2015-07-22 16:08:00 +02:00
|
|
|
PhabricatorProjectInterface,
|
2015-11-28 22:01:11 +01:00
|
|
|
PhabricatorDestructibleInterface,
|
2015-12-28 12:58:43 +01:00
|
|
|
PhabricatorApplicationTransactionInterface,
|
2016-06-14 21:58:21 +02:00
|
|
|
PhabricatorConduitResultInterface,
|
|
|
|
PhabricatorFulltextInterface {
|
2012-10-15 23:51:04 +02:00
|
|
|
|
|
|
|
const MARKUP_FIELD_DESCRIPTION = 'markup:description';
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
protected $name;
|
2016-06-18 16:21:39 +02:00
|
|
|
protected $subtitle;
|
2012-07-19 18:03:10 +02:00
|
|
|
protected $description;
|
2012-10-01 02:10:27 +02:00
|
|
|
protected $domain;
|
2016-06-24 23:09:49 +02:00
|
|
|
protected $domainFullURI;
|
2016-06-20 21:42:53 +02:00
|
|
|
protected $parentSite;
|
|
|
|
protected $parentDomain;
|
2012-07-19 18:03:10 +02:00
|
|
|
protected $configData;
|
|
|
|
protected $creatorPHID;
|
2012-10-15 23:49:52 +02:00
|
|
|
protected $viewPolicy;
|
|
|
|
protected $editPolicy;
|
2015-11-21 17:51:07 +01:00
|
|
|
protected $status;
|
2015-11-08 16:50:01 +01:00
|
|
|
protected $mailKey;
|
2015-11-28 21:42:36 +01:00
|
|
|
protected $profileImagePHID;
|
2016-06-17 20:23:12 +02:00
|
|
|
protected $headerImagePHID;
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2015-11-28 21:42:36 +01:00
|
|
|
private $profileImageFile = self::ATTACHABLE;
|
2016-06-17 20:23:12 +02:00
|
|
|
private $headerImageFile = self::ATTACHABLE;
|
2012-10-13 01:01:33 +02:00
|
|
|
|
2015-11-21 17:51:07 +01:00
|
|
|
const STATUS_ACTIVE = 'active';
|
|
|
|
const STATUS_ARCHIVED = 'archived';
|
|
|
|
|
2015-01-13 20:47:05 +01:00
|
|
|
protected function getConfiguration() {
|
2012-07-19 18:03:10 +02:00
|
|
|
return array(
|
|
|
|
self::CONFIG_AUX_PHID => true,
|
|
|
|
self::CONFIG_SERIALIZATION => array(
|
|
|
|
'configData' => self::SERIALIZATION_JSON,
|
|
|
|
),
|
2014-09-24 22:50:57 +02:00
|
|
|
self::CONFIG_COLUMN_SCHEMA => array(
|
|
|
|
'name' => 'text64',
|
2016-06-18 16:21:39 +02:00
|
|
|
'subtitle' => 'text64',
|
2014-09-24 22:50:57 +02:00
|
|
|
'description' => 'text',
|
Fix almost all remaining schemata issues
Summary:
Ref T1191. This fixes nearly every remaining blocker for utf8mb4 -- primarily, overlong keys.
Remaining issue is https://secure.phabricator.com/T1191#77467
Test Plan: I'll annotate inline.
Reviewers: btrahan
Reviewed By: btrahan
Subscribers: epriestley, hach-que
Maniphest Tasks: T6099, T6129, T6133, T6134, T6150, T6148, T6147, T6146, T6105, T1191
Differential Revision: https://secure.phabricator.com/D10601
2014-10-01 17:18:36 +02:00
|
|
|
'domain' => 'text128?',
|
2016-06-24 23:09:49 +02:00
|
|
|
'domainFullURI' => 'text128?',
|
2016-07-06 22:45:42 +02:00
|
|
|
'parentSite' => 'text128?',
|
|
|
|
'parentDomain' => 'text128?',
|
2015-11-21 17:51:07 +01:00
|
|
|
'status' => 'text32',
|
2015-11-08 16:50:01 +01:00
|
|
|
'mailKey' => 'bytes20',
|
2015-11-28 21:42:36 +01:00
|
|
|
'profileImagePHID' => 'phid?',
|
2016-06-17 20:23:12 +02:00
|
|
|
'headerImagePHID' => 'phid?',
|
2014-10-01 16:59:44 +02:00
|
|
|
|
|
|
|
// T6203/NULLABILITY
|
|
|
|
// These policies should always be non-null.
|
|
|
|
'editPolicy' => 'policy?',
|
|
|
|
'viewPolicy' => 'policy?',
|
2014-09-24 22:50:57 +02:00
|
|
|
),
|
|
|
|
self::CONFIG_KEY_SCHEMA => array(
|
|
|
|
'key_phid' => null,
|
|
|
|
'phid' => array(
|
|
|
|
'columns' => array('phid'),
|
|
|
|
'unique' => true,
|
|
|
|
),
|
|
|
|
'domain' => array(
|
|
|
|
'columns' => array('domain'),
|
|
|
|
'unique' => true,
|
|
|
|
),
|
|
|
|
),
|
2012-07-19 18:03:10 +02:00
|
|
|
) + parent::getConfiguration();
|
|
|
|
}
|
|
|
|
|
2015-11-08 16:50:01 +01:00
|
|
|
public function save() {
|
|
|
|
if (!$this->getMailKey()) {
|
|
|
|
$this->setMailKey(Filesystem::readRandomCharacters(20));
|
|
|
|
}
|
|
|
|
return parent::save();
|
|
|
|
}
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
public function generatePHID() {
|
|
|
|
return PhabricatorPHID::generateNewPHID(
|
2014-07-24 00:05:46 +02:00
|
|
|
PhabricatorPhameBlogPHIDType::TYPECONST);
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
|
|
|
|
2015-05-15 02:05:58 +02:00
|
|
|
public static function initializeNewBlog(PhabricatorUser $actor) {
|
|
|
|
$blog = id(new PhameBlog())
|
|
|
|
->setCreatorPHID($actor->getPHID())
|
2015-11-26 03:06:23 +01:00
|
|
|
->setStatus(self::STATUS_ACTIVE)
|
2015-05-15 02:05:58 +02:00
|
|
|
->setViewPolicy(PhabricatorPolicies::getMostOpenPolicy())
|
2015-11-09 17:52:44 +01:00
|
|
|
->setEditPolicy(PhabricatorPolicies::POLICY_USER);
|
2015-05-15 02:05:58 +02:00
|
|
|
return $blog;
|
|
|
|
}
|
|
|
|
|
2015-11-21 17:51:07 +01:00
|
|
|
public function isArchived() {
|
|
|
|
return ($this->getStatus() == self::STATUS_ARCHIVED);
|
|
|
|
}
|
|
|
|
|
|
|
|
public static function getStatusNameMap() {
|
|
|
|
return array(
|
|
|
|
self::STATUS_ACTIVE => pht('Active'),
|
|
|
|
self::STATUS_ARCHIVED => pht('Archived'),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
2012-10-01 02:10:27 +02:00
|
|
|
/**
|
|
|
|
* Makes sure a given custom blog uri is properly configured in DNS
|
|
|
|
* to point at this Phabricator instance. If there is an error in
|
|
|
|
* the configuration, return a string describing the error and how
|
|
|
|
* to fix it. If there is no error, return an empty string.
|
|
|
|
*
|
|
|
|
* @return string
|
|
|
|
*/
|
2016-06-24 23:09:49 +02:00
|
|
|
public function validateCustomDomain($domain_full_uri) {
|
|
|
|
$example_domain = 'http://blog.example.com/';
|
2014-04-30 22:19:14 +02:00
|
|
|
$label = pht('Invalid');
|
2012-10-01 02:10:27 +02:00
|
|
|
|
|
|
|
// note this "uri" should be pretty busted given the desired input
|
|
|
|
// so just use it to test if there's a protocol specified
|
2016-06-24 23:09:49 +02:00
|
|
|
$uri = new PhutilURI($domain_full_uri);
|
|
|
|
$domain = $uri->getDomain();
|
|
|
|
$protocol = $uri->getProtocol();
|
|
|
|
$path = $uri->getPath();
|
|
|
|
$supported_protocols = array('http', 'https');
|
2014-03-11 23:53:15 +01:00
|
|
|
|
2016-06-24 23:09:49 +02:00
|
|
|
if (!in_array($protocol, $supported_protocols)) {
|
2014-10-07 15:01:04 +02:00
|
|
|
return array(
|
|
|
|
$label,
|
2014-04-30 22:19:14 +02:00
|
|
|
pht(
|
2016-06-24 23:09:49 +02:00
|
|
|
'The custom domain should include a valid protocol in the URI '.
|
|
|
|
'(for example, "%s"). Valid protocols are "http" or "https".',
|
2014-10-07 15:01:04 +02:00
|
|
|
$example_domain),
|
2016-06-24 23:09:49 +02:00
|
|
|
);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
2016-06-24 23:09:49 +02:00
|
|
|
if (strlen($path) && $path != '/') {
|
2014-10-07 15:01:04 +02:00
|
|
|
return array(
|
|
|
|
$label,
|
2014-04-30 22:19:14 +02:00
|
|
|
pht(
|
|
|
|
'The custom domain should not specify a path (hosting a Phame '.
|
|
|
|
'blog at a path is currently not supported). Instead, just provide '.
|
|
|
|
'the bare domain name (for example, "%s").',
|
2014-10-07 15:01:04 +02:00
|
|
|
$example_domain),
|
|
|
|
);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
2016-06-24 23:09:49 +02:00
|
|
|
if (strpos($domain, '.') === false) {
|
2014-10-07 15:01:04 +02:00
|
|
|
return array(
|
|
|
|
$label,
|
2014-04-30 22:19:14 +02:00
|
|
|
pht(
|
|
|
|
'The custom domain should contain at least one dot (.) because '.
|
|
|
|
'some browsers fail to set cookies on domains without a dot. '.
|
|
|
|
'Instead, use a normal looking domain name like "%s".',
|
2014-10-07 15:01:04 +02:00
|
|
|
$example_domain),
|
|
|
|
);
|
2014-04-30 22:19:14 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
if (!PhabricatorEnv::getEnvConfig('policy.allow-public')) {
|
|
|
|
$href = PhabricatorEnv::getProductionURI(
|
|
|
|
'/config/edit/policy.allow-public/');
|
2014-10-07 15:01:04 +02:00
|
|
|
return array(
|
|
|
|
pht('Fix Configuration'),
|
2014-04-30 22:19:14 +02:00
|
|
|
pht(
|
|
|
|
'For custom domains to work, this Phabricator instance must be '.
|
|
|
|
'configured to allow the public access policy. Configure this '.
|
|
|
|
'setting %s, or ask an administrator to configure this setting. '.
|
|
|
|
'The domain can be specified later once this setting has been '.
|
|
|
|
'changed.',
|
|
|
|
phutil_tag(
|
|
|
|
'a',
|
|
|
|
array('href' => $href),
|
2014-10-07 15:01:04 +02:00
|
|
|
pht('here'))),
|
|
|
|
);
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
2014-03-11 23:53:15 +01:00
|
|
|
return null;
|
2012-10-01 02:10:27 +02:00
|
|
|
}
|
|
|
|
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
public function getLiveURI() {
|
|
|
|
if (strlen($this->getDomain())) {
|
|
|
|
return $this->getExternalLiveURI();
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
} else {
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
return $this->getInternalLiveURI();
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
}
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
}
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
public function getExternalLiveURI() {
|
2016-06-24 23:09:49 +02:00
|
|
|
$uri = new PhutilURI($this->getDomainFullURI());
|
|
|
|
PhabricatorEnv::requireValidRemoteURIForLink($uri);
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
return (string)$uri;
|
|
|
|
}
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
|
2016-06-20 21:42:53 +02:00
|
|
|
public function getExternalParentURI() {
|
|
|
|
$uri = $this->getParentDomain();
|
|
|
|
PhabricatorEnv::requireValidRemoteURIForLink($uri);
|
|
|
|
return (string)$uri;
|
|
|
|
}
|
|
|
|
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
public function getInternalLiveURI() {
|
|
|
|
return '/phame/live/'.$this->getID().'/';
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
}
|
|
|
|
|
2015-11-08 16:50:01 +01:00
|
|
|
public function getViewURI() {
|
Remove skins from Phame
Summary:
Ref T9897. Purge a bunch of stuff:
- Remove skins.
- Remove all custom sites for skin resources.
- Remove "framed", "notlive", "preview", separate "live" controllers (see below).
- Merge "publish" and "unpublish" controllers into one.
New behavior:
- Blogs and posts have three views:
- "View": Internal view URI, which is a normal detail page.
- "Internal Live": Internal view URI which is a little prettier.
- "External Live": External view URI for an external domain.
Right now, the differences are pretty minor (basically, different crumbs/chrome). This mostly gives us room to put some milder flavor of skins back later (photography or more "presentation" elements, for example).
This removes 9 million lines of code so I probably missed a couple of things, but I think it's like 95% of the way there.
Test Plan:
Here are some examples of what the "view", "internal" and "external" views look like for blogs (posts are similar):
"View": Unchanged
{F1021634}
"Internal": No chrome or footer. Still write actions (edit, post commments). Has crumbs to get back into Phame.
{F1021635}
"External": No chrome or footer. No write actions. No Phabricator crumbs. No policy/status information.
{F1021638}
I figure we'll probably tweak these a bit to figure out what makes sense (like: maybe no actions on "internal, live"? and "external, live" probably needs a way to set a root "Company >" crumb?) but that they're reasonable-ish as a first cut?
Reviewers: chad
Reviewed By: chad
Maniphest Tasks: T9897
Differential Revision: https://secure.phabricator.com/D14740
2015-12-11 16:07:45 +01:00
|
|
|
return '/phame/blog/view/'.$this->getID().'/';
|
2015-11-08 16:50:01 +01:00
|
|
|
}
|
|
|
|
|
2015-12-16 20:56:41 +01:00
|
|
|
public function getManageURI() {
|
|
|
|
return '/phame/blog/manage/'.$this->getID().'/';
|
|
|
|
}
|
|
|
|
|
2015-11-28 21:42:36 +01:00
|
|
|
public function getProfileImageURI() {
|
|
|
|
return $this->getProfileImageFile()->getBestURI();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function attachProfileImageFile(PhabricatorFile $file) {
|
|
|
|
$this->profileImageFile = $file;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getProfileImageFile() {
|
|
|
|
return $this->assertAttached($this->profileImageFile);
|
|
|
|
}
|
|
|
|
|
2016-06-17 20:23:12 +02:00
|
|
|
public function getHeaderImageURI() {
|
|
|
|
return $this->getHeaderImageFile()->getBestURI();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function attachHeaderImageFile(PhabricatorFile $file) {
|
|
|
|
$this->headerImageFile = $file;
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getHeaderImageFile() {
|
|
|
|
return $this->assertAttached($this->headerImageFile);
|
|
|
|
}
|
|
|
|
|
2012-10-15 23:49:52 +02:00
|
|
|
|
|
|
|
/* -( PhabricatorPolicyInterface Implementation )-------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
public function getCapabilities() {
|
|
|
|
return array(
|
|
|
|
PhabricatorPolicyCapability::CAN_VIEW,
|
|
|
|
PhabricatorPolicyCapability::CAN_EDIT,
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function getPolicy($capability) {
|
|
|
|
switch ($capability) {
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
return $this->getViewPolicy();
|
|
|
|
case PhabricatorPolicyCapability::CAN_EDIT:
|
|
|
|
return $this->getEditPolicy();
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
public function hasAutomaticCapability($capability, PhabricatorUser $user) {
|
|
|
|
$can_edit = PhabricatorPolicyCapability::CAN_EDIT;
|
|
|
|
|
|
|
|
switch ($capability) {
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
// Users who can edit or post to a blog can always view it.
|
|
|
|
if (PhabricatorPolicyFilter::hasCapability($user, $this, $can_edit)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
|
2013-09-27 17:43:41 +02:00
|
|
|
public function describeAutomaticCapability($capability) {
|
|
|
|
switch ($capability) {
|
|
|
|
case PhabricatorPolicyCapability::CAN_VIEW:
|
|
|
|
return pht(
|
2015-11-09 17:52:44 +01:00
|
|
|
'Users who can edit a blog can always view it.');
|
2013-09-27 17:43:41 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return null;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
/* -( PhabricatorMarkupInterface Implementation )-------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
public function getMarkupFieldKey($field) {
|
2017-04-06 18:55:37 +02:00
|
|
|
$content = $this->getMarkupText($field);
|
|
|
|
return PhabricatorMarkupEngine::digestRemarkupContent($this, $content);
|
2012-10-15 23:51:04 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function newMarkupEngine($field) {
|
|
|
|
return PhabricatorMarkupEngine::newPhameMarkupEngine();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function getMarkupText($field) {
|
|
|
|
return $this->getDescription();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
public function didMarkupText(
|
|
|
|
$field,
|
|
|
|
$output,
|
|
|
|
PhutilMarkupEngine $engine) {
|
|
|
|
return $output;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function shouldUseMarkupCache($field) {
|
|
|
|
return (bool)$this->getPHID();
|
|
|
|
}
|
|
|
|
|
2015-11-28 22:01:11 +01:00
|
|
|
/* -( PhabricatorDestructibleInterface )----------------------------------- */
|
|
|
|
|
|
|
|
public function destroyObjectPermanently(
|
|
|
|
PhabricatorDestructionEngine $engine) {
|
|
|
|
|
|
|
|
$this->openTransaction();
|
|
|
|
|
2016-06-28 02:07:03 +02:00
|
|
|
$posts = id(new PhamePostQuery())
|
|
|
|
->setViewer($engine->getViewer())
|
|
|
|
->withBlogPHIDs(array($this->getPHID()))
|
|
|
|
->execute();
|
2015-11-28 22:01:11 +01:00
|
|
|
foreach ($posts as $post) {
|
2016-06-28 02:07:03 +02:00
|
|
|
$engine->destroyObject($post);
|
2015-11-28 22:01:11 +01:00
|
|
|
}
|
|
|
|
$this->delete();
|
|
|
|
|
|
|
|
$this->saveTransaction();
|
|
|
|
}
|
|
|
|
|
2015-06-03 23:24:21 +02:00
|
|
|
|
|
|
|
/* -( PhabricatorApplicationTransactionInterface )------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
public function getApplicationTransactionEditor() {
|
|
|
|
return new PhameBlogEditor();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getApplicationTransactionObject() {
|
|
|
|
return $this;
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getApplicationTransactionTemplate() {
|
|
|
|
return new PhameBlogTransaction();
|
|
|
|
}
|
|
|
|
|
|
|
|
public function willRenderTimeline(
|
|
|
|
PhabricatorApplicationTransactionView $timeline,
|
|
|
|
AphrontRequest $request) {
|
|
|
|
return $timeline;
|
|
|
|
}
|
|
|
|
|
2015-07-22 16:00:36 +02:00
|
|
|
|
|
|
|
/* -( PhabricatorSubscribableInterface Implementation )-------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
public function isAutomaticallySubscribed($phid) {
|
2016-09-23 14:49:42 +02:00
|
|
|
return false;
|
2015-07-22 16:00:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-12-28 12:58:43 +01:00
|
|
|
/* -( PhabricatorConduitResultInterface )---------------------------------- */
|
|
|
|
|
|
|
|
|
|
|
|
public function getFieldSpecificationsForConduit() {
|
|
|
|
return array(
|
|
|
|
id(new PhabricatorConduitSearchFieldSpecification())
|
|
|
|
->setKey('name')
|
|
|
|
->setType('string')
|
|
|
|
->setDescription(pht('The name of the blog.')),
|
|
|
|
id(new PhabricatorConduitSearchFieldSpecification())
|
|
|
|
->setKey('description')
|
|
|
|
->setType('string')
|
|
|
|
->setDescription(pht('Blog description.')),
|
|
|
|
id(new PhabricatorConduitSearchFieldSpecification())
|
|
|
|
->setKey('status')
|
|
|
|
->setType('string')
|
|
|
|
->setDescription(pht('Archived or active status.')),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getFieldValuesForConduit() {
|
|
|
|
return array(
|
|
|
|
'name' => $this->getName(),
|
|
|
|
'description' => $this->getDescription(),
|
|
|
|
'status' => $this->getStatus(),
|
|
|
|
);
|
|
|
|
}
|
|
|
|
|
|
|
|
public function getConduitSearchAttachments() {
|
|
|
|
return array();
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2016-06-14 21:58:21 +02:00
|
|
|
/* -( PhabricatorFulltextInterface )--------------------------------------- */
|
|
|
|
|
|
|
|
public function newFulltextEngine() {
|
|
|
|
return new PhameBlogFulltextEngine();
|
|
|
|
}
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|