mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-18 12:52:42 +01:00
Don't reveal oauth application token information
Summary: There's an OAuth diagnostics page at /oauth/facebook/diagnose/, which shows some diagnostic information. Currently, it attempts to establish an application token session and shows the token if it is successful. An attacker could use this to do vaguely nefarious things (retreive application statistics, I think?). This interface was originally admin-only but then I threw out the very silly admin mode patch I had at the time and we currently have no admin mode, and thus this interface is public. This token isn't useful in diagnosis anyway, so don't reveal it. Test Plan: Visited oauth diagnostics page, no token revealed Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason CC: tuomaspelkonen Differential Revision: 136
This commit is contained in:
parent
ca7a0de1cf
commit
6e713ad784
1 changed files with 1 additions and 1 deletions
|
@ -168,7 +168,7 @@ class PhabricatorOAuthDiagnosticsController
|
|||
if ($token_strict) {
|
||||
$results['App Login'] = array(
|
||||
$res_ok,
|
||||
$token_strict,
|
||||
'(A Valid Token)',
|
||||
"Raw application login to Facebook works.");
|
||||
} else {
|
||||
$data = json_decode($token_value, true);
|
||||
|
|
Loading…
Reference in a new issue