1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-24 14:30:56 +01:00

Fix a CSRF issue with adding new email addresses

Summary:
The first dialog was being given the wrong user (`$user`, should be `$viewer`), leading to a CSRF issue.

(The CSRF token it generated was invalid in all validation contexts, so this wasn't a security problem or a way to capture CSRF tokens for other users.)

Use `newDialog()` instead.

(This seems completely unrelated to the vaguely-similar-looking issues we saw earlier this week.)

Test Plan:
  - Added a new email address.
  - Clicked "Done" on the last step.
  - Completed workflow instead of getting a CSRF error.

Reviewers: chad, tide

Reviewed By: tide

Differential Revision: https://secure.phabricator.com/D16200
This commit is contained in:
epriestley 2016-06-30 08:22:20 -07:00
parent 922822bd2d
commit 4f8d07594e

View file

@ -227,8 +227,7 @@ final class PhabricatorEmailAddressesSettingsPanel
$object->sendVerificationEmail($user); $object->sendVerificationEmail($user);
$dialog = id(new AphrontDialogView()) $dialog = $this->newDialog()
->setUser($user)
->addHiddenInput('new', 'verify') ->addHiddenInput('new', 'verify')
->setTitle(pht('Verification Email Sent')) ->setTitle(pht('Verification Email Sent'))
->appendChild(phutil_tag('p', array(), pht( ->appendChild(phutil_tag('p', array(), pht(
@ -259,8 +258,7 @@ final class PhabricatorEmailAddressesSettingsPanel
->setCaption(PhabricatorUserEmail::describeAllowedAddresses()) ->setCaption(PhabricatorUserEmail::describeAllowedAddresses())
->setError($e_email)); ->setError($e_email));
$dialog = id(new AphrontDialogView()) $dialog = $this->newDialog()
->setUser($viewer)
->addHiddenInput('new', 'true') ->addHiddenInput('new', 'true')
->setTitle(pht('New Address')) ->setTitle(pht('New Address'))
->appendChild($errors) ->appendChild($errors)