1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-26 23:40:57 +01:00

Fix an open redirect issue in Phame with "View Live"

Summary: Currently, you can set a blog URI to "evil.com" and then the live controller will issue a redirect. Instead, require a CSRF check. If it fails, pop a "this blog has moved" dialog.

Test Plan:
  - Clicked "View Live" for in-app and on-domain blogs and posts.
  - Hit URI directly.

{F33302}

Reviewers: vrana

Reviewed By: vrana

CC: cbg, aran

Differential Revision: https://secure.phabricator.com/D5021
This commit is contained in:
epriestley 2013-02-19 16:04:54 -08:00
parent 17cabea1bc
commit 2f66138464
3 changed files with 21 additions and 2 deletions

View file

@ -30,8 +30,23 @@ final class PhameBlogLiveController extends PhameController {
}
if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) {
return id(new AphrontRedirectResponse())
->setURI('http://'.$blog->getDomain().'/'.$this->more);
$base_uri = 'http://'.$blog->getDomain().'/';
if ($request->isFormPost()) {
return id(new AphrontRedirectResponse())
->setURI($base_uri.$this->more);
} else {
// If we don't have CSRF, return a dialog instead of automatically
// redirecting, to prevent this endpoint from serving semi-open
// redirects.
$dialog = id(new AphrontDialogView())
->setTitle(pht('Blog Moved'))
->setUser($user)
->appendChild(
pht('This blog is now hosted at %s.',
$base_uri))
->addSubmitButton(pht('Continue'));
return id(new AphrontDialogResponse())->setDialog($dialog);
}
}
$phame_request = clone $request;

View file

@ -133,8 +133,10 @@ final class PhameBlogViewController extends PhameController {
$actions->addAction(
id(new PhabricatorActionView())
->setUser($user)
->setIcon('world')
->setHref($this->getApplicationURI('live/'.$blog->getID().'/'))
->setRenderAsForm(true)
->setName(pht('View Live')));
$actions->addAction(

View file

@ -139,9 +139,11 @@ final class PhamePostViewController extends PhameController {
$actions->addAction(
id(new PhabricatorActionView())
->setUser($user)
->setIcon('world')
->setHref($live_uri)
->setName(pht('View Live'))
->setRenderAsForm(true)
->setDisabled(!$can_view_live)
->setWorkflow(!$can_view_live));