revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-20 20:40:56 +01:00
Code Issues Releases Wiki Activity

Fix some security issues with email password resets

Browse source 
Summary:
Via HackerOne, there are two related low-severity issues with this workflow:

  - We don't check if you're already logged in, so an attacker can trick a victim (whether they're logged in or not) into clicking a reset link for an account the attacker controls (maybe via an invisible iframe) and log the user in under a different account.
  - We don't check CSRF tokens either, so after fixing the first thing, an attacker can still trick a //logged-out// victim in the same way.

It's not really clear that doing this opens up any significant attacks afterward, but both of these behaviors aren't good.

I'll probably land this for audit in a few hours if @btrahan doesn't have a chance to take a look at it since he's probably on a plane for most of the day, I'm pretty confident it doesn't break anything.

Test Plan:
  - As a logged-in user, clicked another user's password reset link and was not logged in.
  - As a logged-out user, clicked a password reset link and needed to submit a form to complete the workflow.

Reviewers: btrahan

CC: chad, btrahan, aran

Differential Revision: https://secure.phabricator.com/D8079
This commit is contained in:
epriestley 2014-01-27 13:20:55 -08:00
parent 3fd20e4725
commit 152f05aebe
1 changed files with 64 additions and 29 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

93
src/applications/auth/controller/PhabricatorEmailTokenController.php
View file

@ -16,19 +16,14 @@ final class PhabricatorEmailTokenController
public function processRequest() {
$request = $this->getRequest();
if ($request->getUser()->isLoggedIn()) {
return $this->renderError(
pht('You are already logged in.'));
}
$token = $this->token;
$email = $request->getStr('email');
// NOTE: We need to bind verification to **addresses**, not **users**,
// because we verify addresses when they're used to login this way, and if
// we have a user-based verification you can:
//
// - Add some address you do not own;
// - request a password reset;
// - change the URI in the email to the address you don't own;
// - login via the email link; and
// - get a "verified" address you don't control.
$target_email = id(new PhabricatorUserEmail())->loadOneWhere(
'address = %s',
$email);
@ -40,6 +35,16 @@ final class PhabricatorEmailTokenController
$target_email->getUserPHID());
}
// NOTE: We need to bind verification to **addresses**, not **users**,
// because we verify addresses when they're used to login this way, and if
// we have a user-based verification you can:
//
// - Add some address you do not own;
// - request a password reset;
// - change the URI in the email to the address you don't own;
// - login via the email link; and
// - get a "verified" address you don't control.
if (!$target_email ||
!$target_user ||
!$target_user->validateEmailToken($target_email, $token)) {
@ -65,29 +70,59 @@ final class PhabricatorEmailTokenController
));
}
// Verify email so that clicking the link in the "Welcome" email is good
// enough, without requiring users to go through a second round of email
// verification.
if ($request->isFormPost()) {
// Verify email so that clicking the link in the "Welcome" email is good
// enough, without requiring users to go through a second round of email
// verification.
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$target_email->setIsVerified(1);
$target_email->save();
unset($unguarded);
$unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
$target_email->setIsVerified(1);
$target_email->save();
unset($unguarded);
$next = '/';
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
$next = '/settings/panel/external/';
} else if (PhabricatorEnv::getEnvConfig('account.editable')) {
$next = (string)id(new PhutilURI('/settings/panel/password/'))
->setQueryParams(
array(
'token' => $token,
'email' => $email,
));
$next = '/';
if (!PhabricatorAuthProviderPassword::getPasswordProvider()) {
$next = '/settings/panel/external/';
} else if (PhabricatorEnv::getEnvConfig('account.editable')) {
$next = (string)id(new PhutilURI('/settings/panel/password/'))
->setQueryParams(
array(
'token' => $token,
'email' => $email,
));
}
PhabricatorCookies::setNextURICookie($request, $next, $force = true);
return $this->loginUser($target_user);
}
PhabricatorCookies::setNextURICookie($request, $next, $force = true);
// NOTE: We need to CSRF here so attackers can't generate an email link,
// then log a user in to an account they control via sneaky invisible
// form submissions.
return $this->loginUser($target_user);
// TODO: Since users can arrive here either through password reset or
// through welcome emails, it might be nice to include the workflow type
// in the URI or query params so we can tailor the messaging. Right now,
// it has to be generic enough to make sense in either workflow, which
// leaves it feeling a little awkward.
$dialog = id(new AphrontDialogView())
->setUser($request->getUser())
->setTitle(pht('Login to Phabricator'))
->addHiddenInput('email', $email)
->appendParagraph(
pht(
'Use the button below to log in as: %s',
phutil_tag('strong', array(), $email)))
->appendParagraph(
pht(
'After logging in you should set a password for your account, or '.
'link your account to an external account that you can use to '.
'authenticate in the future.'))
->addSubmitButton(pht('Login (%s)', $email))
->addCancelButton('/');
return id(new AphrontDialogResponse())->setDialog($dialog);
}
}