diff --git a/src/applications/phame/controller/blog/PhameBlogLiveController.php b/src/applications/phame/controller/blog/PhameBlogLiveController.php index 9b3e1fec80..3fe3073c99 100644 --- a/src/applications/phame/controller/blog/PhameBlogLiveController.php +++ b/src/applications/phame/controller/blog/PhameBlogLiveController.php @@ -30,39 +30,42 @@ final class PhameBlogLiveController extends PhameController { } if ($blog->getDomain() && ($request->getHost() != $blog->getDomain())) { - $base_uri = 'http://'.$blog->getDomain().'/'; - if ($request->isFormPost()) { - return id(new AphrontRedirectResponse()) - ->setURI($base_uri.$this->more); - } else { - // If we don't have CSRF, return a dialog instead of automatically - // redirecting, to prevent this endpoint from serving semi-open - // redirects. - $dialog = id(new AphrontDialogView()) - ->setTitle(pht('Blog Moved')) - ->setUser($user) - ->appendChild( - pht('This blog is now hosted at %s.', - $base_uri)) - ->addSubmitButton(pht('Continue')); - return id(new AphrontDialogResponse())->setDialog($dialog); - } + $base_uri = $blog->getLiveURI(); + + // Don't redirect directly, since the domain is user-controlled and there + // are a bevy of security issues associated with automatic redirects to + // external domains. + + // Previously we CSRF'd this and someone found a way to pass OAuth + // information through it using anchors. Just make users click a normal + // link so that this is no more dangerous than any other external link + // on the site. + + $dialog = id(new AphrontDialogView()) + ->setTitle(pht('Blog Moved')) + ->setUser($user) + ->appendParagraph(pht('This blog is now hosted here:')) + ->appendParagraph( + phutil_tag( + 'a', + array( + 'href' => $base_uri, + ), + $base_uri)) + ->addCancelButton('/'); + + return id(new AphrontDialogResponse())->setDialog($dialog); } $phame_request = clone $request; $phame_request->setPath('/'.ltrim($this->more, '/')); - if ($blog->getDomain()) { - $uri = new PhutilURI('http://'.$blog->getDomain().'/'); - } else { - $uri = '/phame/live/'.$blog->getID().'/'; - $uri = PhabricatorEnv::getURI($uri); - } + $uri = $blog->getLiveURI(); $skin = $blog->getSkinRenderer($phame_request); $skin ->setBlog($blog) - ->setBaseURI((string)$uri); + ->setBaseURI($uri); $skin->willProcessRequest(array()); return $skin->processRequest(); diff --git a/src/applications/phame/controller/blog/PhameBlogViewController.php b/src/applications/phame/controller/blog/PhameBlogViewController.php index 5bd9fabbbd..9d975055fc 100644 --- a/src/applications/phame/controller/blog/PhameBlogViewController.php +++ b/src/applications/phame/controller/blog/PhameBlogViewController.php @@ -158,8 +158,6 @@ final class PhameBlogViewController extends PhameController { $blog, PhabricatorPolicyCapability::CAN_JOIN); - $must_use_form = $blog->getDomain(); - $actions->addAction( id(new PhabricatorActionView()) ->setIcon('new') @@ -172,8 +170,7 @@ final class PhameBlogViewController extends PhameController { id(new PhabricatorActionView()) ->setUser($user) ->setIcon('world') - ->setHref($this->getApplicationURI('live/'.$blog->getID().'/')) - ->setRenderAsForm($must_use_form) + ->setHref($blog->getLiveURI()) ->setName(pht('View Live'))); $actions->addAction( diff --git a/src/applications/phame/controller/post/PhamePostViewController.php b/src/applications/phame/controller/post/PhamePostViewController.php index bac0a370d3..000942d96a 100644 --- a/src/applications/phame/controller/post/PhamePostViewController.php +++ b/src/applications/phame/controller/post/PhamePostViewController.php @@ -141,14 +141,13 @@ final class PhamePostViewController extends PhameController { $blog = $post->getBlog(); $can_view_live = $blog && !$post->isDraft(); - $must_use_form = $blog && $blog->getDomain(); if ($can_view_live) { - $live_uri = 'live/'.$blog->getID().'/post/'.$post->getPhameTitle(); + $live_uri = $blog->getLiveURI($post); } else { $live_uri = 'post/notlive/'.$post->getID().'/'; + $live_uri = $this->getApplicationURI($live_uri); } - $live_uri = $this->getApplicationURI($live_uri); $actions->addAction( id(new PhabricatorActionView()) @@ -156,7 +155,6 @@ final class PhamePostViewController extends PhameController { ->setIcon('world') ->setHref($live_uri) ->setName(pht('View Live')) - ->setRenderAsForm($must_use_form) ->setDisabled(!$can_view_live) ->setWorkflow(!$can_view_live)); diff --git a/src/applications/phame/storage/PhameBlog.php b/src/applications/phame/storage/PhameBlog.php index 2a5ce6832c..39f3f14910 100644 --- a/src/applications/phame/storage/PhameBlog.php +++ b/src/applications/phame/storage/PhameBlog.php @@ -136,6 +136,21 @@ final class PhameBlog extends PhameDAO return self::$requestBlog; } + public function getLiveURI(PhamePost $post = null) { + if ($this->getDomain()) { + $base = new PhutilURI('http://'.$this->getDomain().'/'); + } else { + $base = '/phame/live/'.$this->getID().'/'; + $base = PhabricatorEnv::getURI($base); + } + + if ($post) { + $base .= '/post/'.$post->getPhameTitle(); + } + + return $base; + } + /* -( PhabricatorPolicyInterface Implementation )-------------------------- */