Fix an open redirect issue in Phame with "View Live"

Summary: Currently, you can set a blog URI to "evil.com" and then the live controller will issue a redirect. Instead, require a CSRF check. If it fails, pop a "this blog has moved" dialog. Test Plan: - Clicked "View Live" for in-app and on-domain blogs and posts. - Hit URI directly. {F33302} Reviewers: vrana Reviewed By: vrana CC: cbg, aran Differential Revision: https://secure.phabricator.com/D5021
2024-11-26 08:42:41 +01:00 · 2013-02-19 16:04:54 -08:00 · 2013-02-19 16:04:54 -08:00 · 2f66138464
commit 2f66138464
parent 17cabea1bc
3 changed files with 21 additions and 2 deletions
--- a/src/applications/phame/controller/blog/PhameBlogLiveController.php
+++ b/src/applications/phame/controller/blog/PhameBlogLiveController.php
@ -30,8 +30,23 @@ final class PhameBlogLiveController extends PhameController {
    }

    if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
-      return id(new AphrontRedirectResponse())
-        ->setURI('http://'.$blog->getDomain().'/'.$this->more);
+      $base_uri = 'http://'.$blog->getDomain().'/';
+      if ($request->isFormPost()) {
+        return id(new AphrontRedirectResponse())
+          ->setURI($base_uri.$this->more);
+      } else {
+        // If we don't have CSRF, return a dialog instead of automatically
+        // redirecting, to prevent this endpoint from serving semi-open
+        // redirects.
+        $dialog = id(new AphrontDialogView())
+          ->setTitle(pht('Blog Moved'))
+          ->setUser($user)
+          ->appendChild(
+            pht('This blog is now hosted at %s.',
+              $base_uri))
+          ->addSubmitButton(pht('Continue'));
+        return id(new AphrontDialogResponse())->setDialog($dialog);
+      }
    }

    $phame_request = clone $request;
--- a/src/applications/phame/controller/blog/PhameBlogViewController.php
+++ b/src/applications/phame/controller/blog/PhameBlogViewController.php
@ -133,8 +133,10 @@ final class PhameBlogViewController extends PhameController {

    $actions->addAction(
      id(new PhabricatorActionView())
+        ->setUser($user)
        ->setIcon('world')
        ->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
+        ->setRenderAsForm(true)
        ->setName(pht('View Live')));

    $actions->addAction(
--- a/src/applications/phame/controller/post/PhamePostViewController.php
+++ b/src/applications/phame/controller/post/PhamePostViewController.php
@ -139,9 +139,11 @@ final class PhamePostViewController extends PhameController {

    $actions->addAction(
      id(new PhabricatorActionView())
+        ->setUser($user)
        ->setIcon('world')
        ->setHref($live_uri)
        ->setName(pht('View Live'))
+        ->setRenderAsForm(true)
        ->setDisabled(!$can_view_live)
        ->setWorkflow(!$can_view_live));