2012-07-19 18:03:10 +02:00
|
|
|
<?php
|
|
|
|
|
2012-10-15 23:50:04 +02:00
|
|
|
final class PhameBlogViewController extends PhameController {
|
2012-07-19 18:03:10 +02:00
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
private $id;
|
2012-07-19 18:03:10 +02:00
|
|
|
|
|
|
|
public function willProcessRequest(array $data) {
|
2012-10-15 23:50:12 +02:00
|
|
|
$this->id = $data['id'];
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
public function processRequest() {
|
2012-10-15 23:50:04 +02:00
|
|
|
$request = $this->getRequest();
|
|
|
|
$user = $request->getUser();
|
2012-07-19 18:03:10 +02:00
|
|
|
|
2012-10-15 23:49:52 +02:00
|
|
|
$blog = id(new PhameBlogQuery())
|
|
|
|
->setViewer($user)
|
2012-10-15 23:50:12 +02:00
|
|
|
->withIDs(array($this->id))
|
2012-10-15 23:49:52 +02:00
|
|
|
->executeOne();
|
2012-07-19 18:03:10 +02:00
|
|
|
if (!$blog) {
|
|
|
|
return new Aphront404Response();
|
|
|
|
}
|
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
$pager = id(new AphrontCursorPagerView())
|
|
|
|
->readFromRequest($request);
|
|
|
|
|
2012-10-15 23:50:04 +02:00
|
|
|
$posts = id(new PhamePostQuery())
|
|
|
|
->setViewer($user)
|
|
|
|
->withBlogPHIDs(array($blog->getPHID()))
|
2012-10-15 23:50:12 +02:00
|
|
|
->executeWithCursorPager($pager);
|
|
|
|
|
|
|
|
$nav = $this->renderSideNavFilterView(null);
|
|
|
|
|
2013-09-17 18:12:37 +02:00
|
|
|
$header = id(new PHUIHeaderView())
|
2013-09-19 01:27:24 +02:00
|
|
|
->setHeader($blog->getName())
|
2013-09-19 20:56:58 +02:00
|
|
|
->setUser($user)
|
|
|
|
->setPolicyObject($blog);
|
2012-10-15 23:50:12 +02:00
|
|
|
|
2012-10-15 23:50:37 +02:00
|
|
|
$handle_phids = array_merge(
|
|
|
|
mpull($posts, 'getBloggerPHID'),
|
|
|
|
mpull($posts, 'getBlogPHID'));
|
|
|
|
$this->loadHandles($handle_phids);
|
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
$actions = $this->renderActions($blog, $user);
|
2013-10-11 16:53:56 +02:00
|
|
|
$properties = $this->renderProperties($blog, $user, $actions);
|
2012-10-15 23:50:12 +02:00
|
|
|
$post_list = $this->renderPostList(
|
|
|
|
$posts,
|
|
|
|
$user,
|
|
|
|
pht('This blog has no visible posts.'));
|
|
|
|
|
2013-05-22 00:32:17 +02:00
|
|
|
require_celerity_resource('phame-css');
|
|
|
|
$post_list = id(new PHUIBoxView())
|
|
|
|
->addPadding(PHUI::PADDING_LARGE)
|
|
|
|
->addClass('phame-post-list')
|
|
|
|
->appendChild($post_list);
|
|
|
|
|
|
|
|
|
2013-04-14 17:02:29 +02:00
|
|
|
$crumbs = $this->buildApplicationCrumbs();
|
2013-12-19 02:47:34 +01:00
|
|
|
$crumbs->addTextCrumb($blog->getName(), $this->getApplicationURI());
|
2013-04-14 17:02:29 +02:00
|
|
|
|
2013-09-29 00:55:38 +02:00
|
|
|
$object_box = id(new PHUIObjectBoxView())
|
|
|
|
->setHeader($header)
|
2013-10-11 16:53:56 +02:00
|
|
|
->addPropertyList($properties);
|
2013-09-29 00:55:38 +02:00
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
$nav->appendChild(
|
2012-07-19 18:03:10 +02:00
|
|
|
array(
|
2013-04-14 17:02:29 +02:00
|
|
|
$crumbs,
|
2013-09-29 00:55:38 +02:00
|
|
|
$object_box,
|
2012-10-15 23:50:12 +02:00
|
|
|
$post_list,
|
|
|
|
));
|
|
|
|
|
|
|
|
return $this->buildApplicationPage(
|
|
|
|
$nav,
|
2012-07-19 18:03:10 +02:00
|
|
|
array(
|
2013-04-14 17:02:29 +02:00
|
|
|
'title' => $blog->getName(),
|
2012-07-19 18:03:10 +02:00
|
|
|
));
|
|
|
|
}
|
2012-10-15 23:50:12 +02:00
|
|
|
|
2013-10-11 16:53:56 +02:00
|
|
|
private function renderProperties(
|
|
|
|
PhameBlog $blog,
|
|
|
|
PhabricatorUser $user,
|
|
|
|
PhabricatorActionListView $actions) {
|
|
|
|
|
2013-04-12 01:10:09 +02:00
|
|
|
require_celerity_resource('aphront-tooltip-css');
|
|
|
|
Javelin::initBehavior('phabricator-tooltips');
|
|
|
|
|
2013-10-11 16:53:56 +02:00
|
|
|
$properties = new PHUIPropertyListView();
|
|
|
|
$properties->setActionList($actions);
|
2012-10-15 23:50:12 +02:00
|
|
|
|
|
|
|
$properties->addProperty(
|
|
|
|
pht('Skin'),
|
2013-01-29 20:01:47 +01:00
|
|
|
$blog->getSkin());
|
2012-10-15 23:50:12 +02:00
|
|
|
|
|
|
|
$properties->addProperty(
|
|
|
|
pht('Domain'),
|
2013-01-29 20:01:47 +01:00
|
|
|
$blog->getDomain());
|
2012-10-15 23:50:12 +02:00
|
|
|
|
2013-04-12 01:10:09 +02:00
|
|
|
$feed_uri = PhabricatorEnv::getProductionURI(
|
|
|
|
$this->getApplicationURI('blog/feed/'.$blog->getID().'/'));
|
|
|
|
$properties->addProperty(
|
|
|
|
pht('Atom URI'),
|
|
|
|
javelin_tag('a',
|
|
|
|
array(
|
|
|
|
'href' => $feed_uri,
|
|
|
|
'sigil' => 'has-tooltip',
|
|
|
|
'meta' => array(
|
|
|
|
'tip' => pht('Atom URI does not support custom domains.'),
|
|
|
|
'size' => 320,
|
|
|
|
)
|
|
|
|
),
|
|
|
|
$feed_uri));
|
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
$descriptions = PhabricatorPolicyQuery::renderPolicyDescriptions(
|
|
|
|
$user,
|
|
|
|
$blog);
|
|
|
|
|
|
|
|
$properties->addProperty(
|
|
|
|
pht('Editable By'),
|
|
|
|
$descriptions[PhabricatorPolicyCapability::CAN_EDIT]);
|
|
|
|
|
|
|
|
$properties->addProperty(
|
|
|
|
pht('Joinable By'),
|
|
|
|
$descriptions[PhabricatorPolicyCapability::CAN_JOIN]);
|
|
|
|
|
2012-10-15 23:51:04 +02:00
|
|
|
$engine = id(new PhabricatorMarkupEngine())
|
|
|
|
->setViewer($user)
|
|
|
|
->addObject($blog, PhameBlog::MARKUP_FIELD_DESCRIPTION)
|
|
|
|
->process();
|
|
|
|
|
|
|
|
$properties->addTextContent(
|
2013-01-29 20:01:47 +01:00
|
|
|
phutil_tag(
|
|
|
|
'div',
|
|
|
|
array(
|
|
|
|
'class' => 'phabricator-remarkup',
|
|
|
|
),
|
|
|
|
$engine->getOutput($blog, PhameBlog::MARKUP_FIELD_DESCRIPTION)));
|
2012-10-15 23:51:04 +02:00
|
|
|
|
2012-10-15 23:50:12 +02:00
|
|
|
return $properties;
|
|
|
|
}
|
|
|
|
|
|
|
|
private function renderActions(PhameBlog $blog, PhabricatorUser $user) {
|
|
|
|
$actions = id(new PhabricatorActionListView())
|
|
|
|
->setObject($blog)
|
2013-07-12 20:39:47 +02:00
|
|
|
->setObjectURI($this->getRequest()->getRequestURI())
|
2012-10-15 23:50:12 +02:00
|
|
|
->setUser($user);
|
|
|
|
|
|
|
|
$can_edit = PhabricatorPolicyFilter::hasCapability(
|
|
|
|
$user,
|
|
|
|
$blog,
|
|
|
|
PhabricatorPolicyCapability::CAN_EDIT);
|
|
|
|
|
|
|
|
$can_join = PhabricatorPolicyFilter::hasCapability(
|
|
|
|
$user,
|
|
|
|
$blog,
|
|
|
|
PhabricatorPolicyCapability::CAN_JOIN);
|
|
|
|
|
|
|
|
$actions->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
2014-05-12 19:08:32 +02:00
|
|
|
->setIcon('fa-plus')
|
2012-10-16 18:44:43 +02:00
|
|
|
->setHref($this->getApplicationURI('post/edit/?blog='.$blog->getID()))
|
2012-10-15 23:50:12 +02:00
|
|
|
->setName(pht('Write Post'))
|
|
|
|
->setDisabled(!$can_join)
|
|
|
|
->setWorkflow(!$can_join));
|
|
|
|
|
|
|
|
$actions->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
2013-02-20 01:04:54 +01:00
|
|
|
->setUser($user)
|
2014-05-12 19:08:32 +02:00
|
|
|
->setIcon('fa-globe')
|
Don't 302 to an external URI, even after CSRF POST
Summary:
Via HackerOne. This defuses an attack which allows users to steal OAuth tokens through a clever sequence of steps:
- The attacker begins the OAuth workflow and copies the Facebook URL.
- The attacker mutates the URL to use the JS/anchor workflow, and to redirect to `/phame/live/X/` instead of `/login/facebook:facebook.com/`, where `X` is the ID of some blog they control. Facebook isn't strict about paths, so this is allowed.
- The blog has an external domain set (`blog.evil.com`), and the attacker controls that domain.
- The user gets stopped on the "live" controller with credentials in the page anchor (`#access_token=...`) and a message ("This blog has moved...") in a dialog. They click "Continue", which POSTs a CSRF token.
- When a user POSTs a `<form />` with no `action` attribute, the browser retains the page anchor. So visiting `/phame/live/8/#anchor` and clicking the "Continue" button POSTs you to a page with `#anchor` intact.
- Some browsers (including Firefox and Chrome) retain the anchor after a 302 redirect.
- The OAuth credentials are thus preserved when the user reaches `blog.evil.com`, and the attacker's site can read them.
This 302'ing after CSRF post is unusual in Phabricator and unique to Phame. It's not necessary -- instead, just use normal links, which drop anchors.
I'm going to pursue further steps to mitigate this class of attack more thoroughly:
- Ideally, we should render forms with an explicit `action` attribute, but this might be a lot of work. I might render them with `#` if no action is provided. We never expect anchors to survive POST, and it's surprising to me that they do.
- I'm going to blacklist OAuth parameters (like `access_token`) from appearing in GET on all pages except whitelisted pages (login pages). Although it's not important here, I think these could be captured from referrers in some cases. See also T4342.
Test Plan: Browsed all the affected Phame interfaces.
Reviewers: btrahan
Reviewed By: btrahan
CC: aran, arice
Differential Revision: https://secure.phabricator.com/D8481
2014-03-11 00:21:07 +01:00
|
|
|
->setHref($blog->getLiveURI())
|
2012-10-15 23:51:30 +02:00
|
|
|
->setName(pht('View Live')));
|
2012-10-15 23:50:12 +02:00
|
|
|
|
|
|
|
$actions->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
2014-05-12 19:08:32 +02:00
|
|
|
->setIcon('fa-pencil')
|
2012-10-15 23:50:12 +02:00
|
|
|
->setHref($this->getApplicationURI('blog/edit/'.$blog->getID().'/'))
|
|
|
|
->setName('Edit Blog')
|
|
|
|
->setDisabled(!$can_edit)
|
|
|
|
->setWorkflow(!$can_edit));
|
|
|
|
|
|
|
|
$actions->addAction(
|
|
|
|
id(new PhabricatorActionView())
|
2014-05-12 19:08:32 +02:00
|
|
|
->setIcon('fa-times')
|
2012-10-15 23:50:12 +02:00
|
|
|
->setHref($this->getApplicationURI('blog/delete/'.$blog->getID().'/'))
|
|
|
|
->setName('Delete Blog')
|
|
|
|
->setDisabled(!$can_edit)
|
|
|
|
->setWorkflow(true));
|
|
|
|
|
|
|
|
return $actions;
|
|
|
|
}
|
|
|
|
|
2012-07-19 18:03:10 +02:00
|
|
|
}
|