mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-26 23:40:57 +01:00
Fix an open redirect issue in Phame with "View Live"
Summary: Currently, you can set a blog URI to "evil.com" and then the live controller will issue a redirect. Instead, require a CSRF check. If it fails, pop a "this blog has moved" dialog. Test Plan: - Clicked "View Live" for in-app and on-domain blogs and posts. - Hit URI directly. {F33302} Reviewers: vrana Reviewed By: vrana CC: cbg, aran Differential Revision: https://secure.phabricator.com/D5021
This commit is contained in:
parent
17cabea1bc
commit
2f66138464
3 changed files with 21 additions and 2 deletions
|
@ -30,8 +30,23 @@ final class PhameBlogLiveController extends PhameController {
|
|||
}
|
||||
|
||||
if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
|
||||
return id(new AphrontRedirectResponse())
|
||||
->setURI('http://'.$blog->getDomain().'/'.$this->more);
|
||||
$base_uri = 'http://'.$blog->getDomain().'/';
|
||||
if ($request->isFormPost()) {
|
||||
return id(new AphrontRedirectResponse())
|
||||
->setURI($base_uri.$this->more);
|
||||
} else {
|
||||
// If we don't have CSRF, return a dialog instead of automatically
|
||||
// redirecting, to prevent this endpoint from serving semi-open
|
||||
// redirects.
|
||||
$dialog = id(new AphrontDialogView())
|
||||
->setTitle(pht('Blog Moved'))
|
||||
->setUser($user)
|
||||
->appendChild(
|
||||
pht('This blog is now hosted at %s.',
|
||||
$base_uri))
|
||||
->addSubmitButton(pht('Continue'));
|
||||
return id(new AphrontDialogResponse())->setDialog($dialog);
|
||||
}
|
||||
}
|
||||
|
||||
$phame_request = clone $request;
|
||||
|
|
|
@ -133,8 +133,10 @@ final class PhameBlogViewController extends PhameController {
|
|||
|
||||
$actions->addAction(
|
||||
id(new PhabricatorActionView())
|
||||
->setUser($user)
|
||||
->setIcon('world')
|
||||
->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
|
||||
->setRenderAsForm(true)
|
||||
->setName(pht('View Live')));
|
||||
|
||||
$actions->addAction(
|
||||
|
|
|
@ -139,9 +139,11 @@ final class PhamePostViewController extends PhameController {
|
|||
|
||||
$actions->addAction(
|
||||
id(new PhabricatorActionView())
|
||||
->setUser($user)
|
||||
->setIcon('world')
|
||||
->setHref($live_uri)
|
||||
->setName(pht('View Live'))
|
||||
->setRenderAsForm(true)
|
||||
->setDisabled(!$can_view_live)
|
||||
->setWorkflow(!$can_view_live));
|
||||
|
||||
|
|
Loading…
Reference in a new issue