mirror of
https://we.phorge.it/source/phorge.git
synced 2025-01-18 02:31:10 +01:00
Validate the provided "host" key for certain Conduit methods
Summary: This allows us to detect a mismatched client and server hostname. See D591. Test Plan: See D591. Reviewed By: tuomaspelkonen Reviewers: jungejason, llorca, tuomaspelkonen, aran CC: aran, tuomaspelkonen Differential Revision: 592
This commit is contained in:
parent
c9b7cffa4f
commit
51de554238
4 changed files with 33 additions and 0 deletions
|
@ -66,4 +66,29 @@ abstract class ConduitAPIMethod {
|
||||||
return str_replace('_', '.', $method_fragment);
|
return str_replace('_', '.', $method_fragment);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
protected function validateHost($host) {
|
||||||
|
if (!$host) {
|
||||||
|
// If the client doesn't send a host key, don't complain. We should in
|
||||||
|
// the future, but this change isn't severe enough to bump the protocol
|
||||||
|
// version.
|
||||||
|
|
||||||
|
// TODO: Remove this once the protocol version gets bumped past 2 (i.e.,
|
||||||
|
// require the host key be present and valid).
|
||||||
|
return;
|
||||||
|
}
|
||||||
|
|
||||||
|
$host = new PhutilURI($host);
|
||||||
|
$host->setPath('/');
|
||||||
|
$host = (string)$host;
|
||||||
|
|
||||||
|
$self = PhabricatorEnv::getProductionURI('/');
|
||||||
|
if ($self !== $host) {
|
||||||
|
throw new Exception(
|
||||||
|
"Your client is connecting to this install as '{$host}', but it is ".
|
||||||
|
"configured as '{$self}'. The client and server must use the exact ".
|
||||||
|
"same URI to identify the install. Edit your .arcconfig or ".
|
||||||
|
"phabricator/conf so they agree on the URI for the install.");
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
@ -6,6 +6,9 @@
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
phutil_require_module('phabricator', 'infrastructure/env');
|
||||||
|
|
||||||
|
phutil_require_module('phutil', 'parser/uri');
|
||||||
phutil_require_module('phutil', 'utils');
|
phutil_require_module('phutil', 'utils');
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -37,6 +37,7 @@ class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {
|
||||||
'user' => 'optional string',
|
'user' => 'optional string',
|
||||||
'authToken' => 'optional int',
|
'authToken' => 'optional int',
|
||||||
'authSignature' => 'optional string',
|
'authSignature' => 'optional string',
|
||||||
|
'host' => 'required string',
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -70,6 +71,8 @@ class ConduitAPI_conduit_connect_Method extends ConduitAPIMethod {
|
||||||
|
|
||||||
protected function execute(ConduitAPIRequest $request) {
|
protected function execute(ConduitAPIRequest $request) {
|
||||||
|
|
||||||
|
$this->validateHost($request->getValue('host'));
|
||||||
|
|
||||||
$client = $request->getValue('client');
|
$client = $request->getValue('client');
|
||||||
$client_version = (int)$request->getValue('clientVersion');
|
$client_version = (int)$request->getValue('clientVersion');
|
||||||
$client_description = (string)$request->getValue('clientDescription');
|
$client_description = (string)$request->getValue('clientDescription');
|
||||||
|
|
|
@ -32,6 +32,7 @@ class ConduitAPI_conduit_getcertificate_Method extends ConduitAPIMethod {
|
||||||
public function defineParamTypes() {
|
public function defineParamTypes() {
|
||||||
return array(
|
return array(
|
||||||
'token' => 'required string',
|
'token' => 'required string',
|
||||||
|
'host' => 'required string',
|
||||||
);
|
);
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -49,6 +50,7 @@ class ConduitAPI_conduit_getcertificate_Method extends ConduitAPIMethod {
|
||||||
}
|
}
|
||||||
|
|
||||||
protected function execute(ConduitAPIRequest $request) {
|
protected function execute(ConduitAPIRequest $request) {
|
||||||
|
$this->validateHost($request->getValue('host'));
|
||||||
|
|
||||||
$failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(
|
$failed_attempts = PhabricatorUserLog::loadRecentEventsFromThisIP(
|
||||||
PhabricatorUserLog::ACTION_CONDUIT_CERTIFICATE_FAILURE,
|
PhabricatorUserLog::ACTION_CONDUIT_CERTIFICATE_FAILURE,
|
||||||
|
|
Loading…
Reference in a new issue