phorge-phorge/src/applications/base/controller/Phabricator404Controller.php

<?php

final class Phabricator404Controller extends PhabricatorController {

  public function shouldRequireLogin() {

    // NOTE: See T2102 for discussion. When a logged-out user requests a page,
    // we give them a login form and set a `next_uri` cookie so we send them
    // back to the page they requested after they login. However, some browsers
    // or extensions request resources which may not exist (like
    // "apple-touch-icon.png" and "humans.txt") and these requests may overwrite
    // the stored "next_uri" after the login page loads. Our options for dealing
    // with this are all bad:
    //
    //  1. We can't put the URI in the form because some login methods (OAuth2)
    //     issue redirects to third-party sites. After T1536 we might be able
    //     to.
    //  2. We could set the cookie only if it doesn't exist, but then a user who
    //     declines to login will end up in the wrong place if they later do
    //     login.
    //  3. We can blacklist all the resources browsers request, but this is a
    //     mess.
    //  4. We can just allow users to access the 404 page without login, so
    //     requesting bad URIs doesn't set the cookie.
    //
    // This implements (4). The main downside is that an attacker can now detect
    // if a URI is routable (i.e., some application is installed) by testing for
    // 404 vs login. If possible, we should implement T1536 in such a way that
    // we can pass the next URI through the login process.

    return false;
  }

  public function processRequest() {
    return new Aphront404Response();
  }

}
I guess this can support JS too. 2011-01-30 01:16:09 +01:00			`<?php`

Add "final" to all Phabricator "Controller" classes Summary: These are all unambiguously unextensible. Issues I hit: - Maniphest Change/Diff controllers, just consolidated them. - Some search controllers incorrectly extend from "Search" but should extend from "SearchBase". This has no runtime effects. - D1836 introduced a closure, which we don't handle correctly (somewhat on purpose; we target PHP 5.2). See T962. Test Plan: Ran "testEverythingImplemented" unit test to identify classes extending from `final` classes. Resolved issues. Reviewers: btrahan Reviewed By: btrahan CC: aran, epriestley Maniphest Tasks: T795 Differential Revision: https://secure.phabricator.com/D1843 2012-03-10 00:46:25 +01:00			`final class Phabricator404Controller extends PhabricatorController {`
I guess this can support JS too. 2011-01-30 01:16:09 +01:00
Fix a redirect-on-login issue by allowing logged-out users to view 404 pages Summary: See T2102 and inline for discussion. This seems like the least-bad approach until we have something better. The utility of next_uri seems much greater than the minor exposure of routable URIs. Note that attackers can //not// detect if routable URIs are //valid// (e.g., "/D999" will always hit the login page whether it exists or not), just that they're routable. So you can only really tell if apps are installed or not. Test Plan: Hit `/alsdknlkasnbla` while logged out, got 404 instead of login. Reviewers: vrana, codeblock, btrahan Reviewed By: codeblock CC: aran Maniphest Tasks: T2102 Differential Revision: https://secure.phabricator.com/D4012 2012-11-21 23:43:35 +01:00			`public function shouldRequireLogin() {`

			`// NOTE: See T2102 for discussion. When a logged-out user requests a page,`
			// we give them a login form and set a `next_uri` cookie so we send them
			`// back to the page they requested after they login. However, some browsers`
			`// or extensions request resources which may not exist (like`
			`// "apple-touch-icon.png" and "humans.txt") and these requests may overwrite`
			`// the stored "next_uri" after the login page loads. Our options for dealing`
			`// with this are all bad:`
			`//`
			`// 1. We can't put the URI in the form because some login methods (OAuth2)`
			`// issue redirects to third-party sites. After T1536 we might be able`
			`// to.`
			`// 2. We could set the cookie only if it doesn't exist, but then a user who`
			`// declines to login will end up in the wrong place if they later do`
			`// login.`
			`// 3. We can blacklist all the resources browsers request, but this is a`
			`// mess.`
			`// 4. We can just allow users to access the 404 page without login, so`
			`// requesting bad URIs doesn't set the cookie.`
			`//`
			`// This implements (4). The main downside is that an attacker can now detect`
			`// if a URI is routable (i.e., some application is installed) by testing for`
			`// 404 vs login. If possible, we should implement T1536 in such a way that`
			`// we can pass the next URI through the login process.`

			`return false;`
			`}`

I guess this can support JS too. 2011-01-30 01:16:09 +01:00			`public function processRequest() {`
			`return new Aphront404Response();`
			`}`

			`}`