From 51de554238801a6b6969186ba27e4873ea0cd54b Mon Sep 17 00:00:00 2001
From: epriestley <git@epriestley.com>
Date: Tue, 5 Jul 2011 07:21:04 -0700
Subject: [PATCH] Validate the provided "host" key for certain Conduit methods

Summary: This allows us to detect a mismatched client and server hostname. See
D591.
Test Plan: See D591.
Reviewed By: tuomaspelkonen
Reviewers: jungejason, llorca, tuomaspelkonen, aran
CC: aran, tuomaspelkonen
Differential Revision: 592
---
 .../conduit/method/base/ConduitAPIMethod.php  | 25 +++++++++++++++++++
 .../conduit/method/base/__init__.php          |  3 +++
 .../ConduitAPI_conduit_connect_Method.php     |  3 +++
 ...nduitAPI_conduit_getcertificate_Method.php |  2 ++
 4 files changed, 33 insertions(+)

diff --git a/src/applications/conduit/method/base/ConduitAPIMethod.php b/src/applications/conduit/method/base/ConduitAPIMethod.php
index 7f04f9cb69..4cf59a2148 100644
--- a/src/applications/conduit/method/base/ConduitAPIMethod.php
+++ b/src/applications/conduit/method/base/ConduitAPIMethod.php
@@ -66,4 +66,29 @@ abstract class ConduitAPIMethod {
     return str_replace('_', '.', $method_fragment);
   }
 
+  protected function validateHost($host) {
+    if (!$host) {
+      // If the client doesn't send a host key, don't complain. We should in
+      // the future, but this change isn't severe enough to bump the protocol
+      // version.
+
+      // TODO: Remove this once the protocol version gets bumped past 2 (i.e.,
+      // require the host key be present and valid).
+      return;
+    }
+
+    $host = new PhutilURI($host);
+    $host->setPath('/');
+    $host = (string)$host;
+
+    $self = PhabricatorEnv::getProductionURI('/');
+    if ($self !== $host) {
+      throw new Exception(
+        "Your client is connecting to this install as '{$host}', but it is ".
+        "configured as '{$self}'. The client and server must use the exact ".
+        "same URI to identify the install. Edit your .arcconfig or ".
+        "phabricator/conf so they agree on the URI for the install.");
+    }
+  }
+
 }
diff --git a/src/applications/conduit/method/base/__init__.php b/src/applications/conduit/method/base/__init__.php
index f7268ea664..50c97a4d58 100644
--- a/src/applications/conduit/method/base/__init__.php
+++ b/src/applications/conduit/method/base/__init__.php
@@ -6,6 +6,9 @@
 
 
 
+phutil_require_module('phabricator', 'infrastructure/env');
+
+phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');
 
 
diff --git a/src/applications/conduit/method/conduit/connect/ConduitAPI_conduit_connect_Method.php b/src/applications/conduit/method/conduit/connect/ConduitAPI_conduit_connect_Method.php
index 6637c8a2f4..6e3e04d813 100644
--- a/src/applications/conduit/method/conduit/connect/ConduitAPI_conduit_connect_Method.php
+++ b/src/applications/conduit/method/conduit/connect/ConduitAPI_conduit_connect_Method.php
@@ -37,6 +37,7 @@ class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {
       'user'                => 'optional string',
       'authToken'           => 'optional int',
       'authSignature'       => 'optional string',
+      'host'                => 'required string',
     );
   }
 
@@ -70,6 +71,8 @@ class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {
 
   protected function execute(ConduitAPIRequest $request) {
 
+    $this->validateHost($request->getValue('host'));
+
     $client = $request->getValue('client');
     $client_version = (int)$request->getValue('clientVersion');
     $client_description = (string)$request->getValue('clientDescription');
diff --git a/src/applications/conduit/method/conduit/getcertificate/ConduitAPI_conduit_getcertificate_Method.php b/src/applications/conduit/method/conduit/getcertificate/ConduitAPI_conduit_getcertificate_Method.php
index f7f90d5938..4f24a08563 100644
--- a/src/applications/conduit/method/conduit/getcertificate/ConduitAPI_conduit_getcertificate_Method.php
+++ b/src/applications/conduit/method/conduit/getcertificate/ConduitAPI_conduit_getcertificate_Method.php
@@ -32,6 +32,7 @@ class ConduitAPI_conduit_getcertificate_Method extends ConduitAPIMethod {
   public function defineParamTypes() {
     return array(
       'token' => 'required string',
+      'host'  => 'required string',
     );
   }
 
@@ -49,6 +50,7 @@ class ConduitAPI_conduit_getcertificate_Method extends ConduitAPIMethod {
   }
 
   protected function execute(ConduitAPIRequest $request) {
+    $this->validateHost($request->getValue('host'));
 
     $failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(
       PhabricatorUserLog::ACTION_CONDUIT_CERTIFICATE_FAILURE,