mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-22 21:40:55 +01:00
Fix a redirect-on-login issue by allowing logged-out users to view 404 pages
Summary: See T2102 and inline for discussion. This seems like the least-bad approach until we have something better. The utility of next_uri seems much greater than the minor exposure of routable URIs. Note that attackers can //not// detect if routable URIs are //valid// (e.g., "/D999" will always hit the login page whether it exists or not), just that they're routable. So you can only really tell if apps are installed or not. Test Plan: Hit `/alsdknlkasnbla` while logged out, got 404 instead of login. Reviewers: vrana, codeblock, btrahan Reviewed By: codeblock CC: aran Maniphest Tasks: T2102 Differential Revision: https://secure.phabricator.com/D4012
This commit is contained in:
parent
b5c7896b10
commit
66c648cc56
1 changed files with 29 additions and 0 deletions
|
@ -2,6 +2,35 @@
|
|||
|
||||
final class Phabricator404Controller extends PhabricatorController {
|
||||
|
||||
public function shouldRequireLogin() {
|
||||
|
||||
// NOTE: See T2102 for discussion. When a logged-out user requests a page,
|
||||
// we give them a login form and set a `next_uri` cookie so we send them
|
||||
// back to the page they requested after they login. However, some browsers
|
||||
// or extensions request resources which may not exist (like
|
||||
// "apple-touch-icon.png" and "humans.txt") and these requests may overwrite
|
||||
// the stored "next_uri" after the login page loads. Our options for dealing
|
||||
// with this are all bad:
|
||||
//
|
||||
// 1. We can't put the URI in the form because some login methods (OAuth2)
|
||||
// issue redirects to third-party sites. After T1536 we might be able
|
||||
// to.
|
||||
// 2. We could set the cookie only if it doesn't exist, but then a user who
|
||||
// declines to login will end up in the wrong place if they later do
|
||||
// login.
|
||||
// 3. We can blacklist all the resources browsers request, but this is a
|
||||
// mess.
|
||||
// 4. We can just allow users to access the 404 page without login, so
|
||||
// requesting bad URIs doesn't set the cookie.
|
||||
//
|
||||
// This implements (4). The main downside is that an attacker can now detect
|
||||
// if a URI is routable (i.e., some application is installed) by testing for
|
||||
// 404 vs login. If possible, we should implement T1536 in such a way that
|
||||
// we can pass the next URI through the login process.
|
||||
|
||||
return false;
|
||||
}
|
||||
|
||||
public function processRequest() {
|
||||
return new Aphront404Response();
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue