mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-10 08:52:39 +01:00
Fix exception with "phabricator.allowed-uris" when trying to set cookies
Summary: The `phabricator.allowed-uris` config setting is not checked properly when trying to set cookies. Test Plan: Set an alternate URI, then accessed Phabricator. No longer received a secondary cookie error. Hit the new exceptions to test them: {F51131} {F51132} Reviewers: btrahan, garoevans Reviewed By: btrahan CC: aran Differential Revision: https://secure.phabricator.com/D6528
This commit is contained in:
parent
c66ea56743
commit
7657c5e145
3 changed files with 40 additions and 12 deletions
|
@ -286,21 +286,49 @@ final class AphrontRequest {
|
|||
// domain. Also, use the URI protocol to control SSL-only cookies.
|
||||
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
|
||||
if ($base_uri) {
|
||||
$base_uri = new PhutilURI($base_uri);
|
||||
|
||||
$base_domain = $base_uri->getDomain();
|
||||
$base_protocol = $base_uri->getProtocol();
|
||||
$alternates = PhabricatorEnv::getEnvConfig('phabricator.allowed-uris');
|
||||
$allowed_uris = array_merge(
|
||||
array($base_uri),
|
||||
$alternates);
|
||||
|
||||
$host = $this->getHost();
|
||||
|
||||
if ($base_domain != $host) {
|
||||
throw new Exception(
|
||||
"This install of Phabricator is configured as '{$base_domain}' but ".
|
||||
"you are accessing it via '{$host}'. Access Phabricator via ".
|
||||
"the primary configured domain.");
|
||||
$match = null;
|
||||
foreach ($allowed_uris as $allowed_uri) {
|
||||
$uri = new PhutilURI($allowed_uri);
|
||||
$domain = $uri->getDomain();
|
||||
if ($host == $domain) {
|
||||
$match = $uri;
|
||||
break;
|
||||
}
|
||||
}
|
||||
|
||||
$is_secure = ($base_protocol == 'https');
|
||||
if ($match === null) {
|
||||
if (count($allowed_uris) > 1) {
|
||||
throw new Exception(
|
||||
pht(
|
||||
'This Phabricator install is configured as "%s", but you are '.
|
||||
'accessing it via "%s". Access Phabricator via the primary '.
|
||||
'configured domain, or one of the permitted alternate '.
|
||||
'domains: %s. Phabricator will not set cookies on other domains '.
|
||||
'for security reasons.',
|
||||
$base_uri,
|
||||
$host,
|
||||
implode(', ', $alternates)));
|
||||
} else {
|
||||
throw new Exception(
|
||||
pht(
|
||||
'This Phabricator install is configured as "%s", but you are '.
|
||||
'accessing it via "%s". Acccess Phabricator via the primary '.
|
||||
'configured domain. Phabricator will not set cookies on other '.
|
||||
'domains for security reasons.',
|
||||
$base_uri,
|
||||
$host));
|
||||
}
|
||||
}
|
||||
|
||||
$base_domain = $match->getDomain();
|
||||
$is_secure = ($match->getProtocol() == 'https');
|
||||
} else {
|
||||
$base_uri = new PhutilURI(PhabricatorEnv::getRequestBaseURI());
|
||||
$base_domain = $base_uri->getDomain();
|
||||
|
|
|
@ -116,7 +116,7 @@ final class PhabricatorConfigEditController
|
|||
} else if ($option->getLocked()) {
|
||||
$msg = pht(
|
||||
"This configuration is locked and can not be edited from the web ".
|
||||
"interface.");
|
||||
"interface. Use `./bin/config` in `phabricator/` to edit it.");
|
||||
|
||||
$error_view = id(new AphrontErrorView())
|
||||
->setTitle(pht('Configuration Locked'))
|
||||
|
|
|
@ -60,7 +60,7 @@ final class PhabricatorCoreConfigOptions
|
|||
"across domains."))
|
||||
->addExample(
|
||||
'["http://phabricator2.example.com/", '.
|
||||
'"http://phabricator3.example.com/]"',
|
||||
'"http://phabricator3.example.com/"]',
|
||||
pht('Valid Setting')),
|
||||
$this->newOption('phabricator.timezone', 'string', null)
|
||||
->setSummary(
|
||||
|
|
Loading…
Reference in a new issue