1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-29 10:12:41 +01:00

Fix exception with "phabricator.allowed-uris" when trying to set cookies

Summary: The `phabricator.allowed-uris` config setting is not checked properly when trying to set cookies.

Test Plan:
Set an alternate URI, then accessed Phabricator. No longer received a secondary cookie error.

Hit the new exceptions to test them:

{F51131}
{F51132}

Reviewers: btrahan, garoevans

Reviewed By: btrahan

CC: aran

Differential Revision: https://secure.phabricator.com/D6528
This commit is contained in:
epriestley 2013-07-22 12:21:08 -07:00
parent c66ea56743
commit 7657c5e145
3 changed files with 40 additions and 12 deletions

View file

@ -286,21 +286,49 @@ final class AphrontRequest {
// domain. Also, use the URI protocol to control SSL-only cookies.
$base_uri = PhabricatorEnv::getEnvConfig('phabricator.base-uri');
if ($base_uri) {
$base_uri = new PhutilURI($base_uri);
$base_domain = $base_uri->getDomain();
$base_protocol = $base_uri->getProtocol();
$alternates = PhabricatorEnv::getEnvConfig('phabricator.allowed-uris');
$allowed_uris = array_merge(
array($base_uri),
$alternates);
$host = $this->getHost();
if ($base_domain != $host) {
throw new Exception(
"This install of Phabricator is configured as '{$base_domain}' but ".
"you are accessing it via '{$host}'. Access Phabricator via ".
"the primary configured domain.");
$match = null;
foreach ($allowed_uris as $allowed_uri) {
$uri = new PhutilURI($allowed_uri);
$domain = $uri->getDomain();
if ($host == $domain) {
$match = $uri;
break;
}
}
$is_secure = ($base_protocol == 'https');
if ($match === null) {
if (count($allowed_uris) > 1) {
throw new Exception(
pht(
'This Phabricator install is configured as "%s", but you are '.
'accessing it via "%s". Access Phabricator via the primary '.
'configured domain, or one of the permitted alternate '.
'domains: %s. Phabricator will not set cookies on other domains '.
'for security reasons.',
$base_uri,
$host,
implode(', ', $alternates)));
} else {
throw new Exception(
pht(
'This Phabricator install is configured as "%s", but you are '.
'accessing it via "%s". Acccess Phabricator via the primary '.
'configured domain. Phabricator will not set cookies on other '.
'domains for security reasons.',
$base_uri,
$host));
}
}
$base_domain = $match->getDomain();
$is_secure = ($match->getProtocol() == 'https');
} else {
$base_uri = new PhutilURI(PhabricatorEnv::getRequestBaseURI());
$base_domain = $base_uri->getDomain();

View file

@ -116,7 +116,7 @@ final class PhabricatorConfigEditController
} else if ($option->getLocked()) {
$msg = pht(
"This configuration is locked and can not be edited from the web ".
"interface.");
"interface. Use `./bin/config` in `phabricator/` to edit it.");
$error_view = id(new AphrontErrorView())
->setTitle(pht('Configuration Locked'))

View file

@ -60,7 +60,7 @@ final class PhabricatorCoreConfigOptions
"across domains."))
->addExample(
'["http://phabricator2.example.com/", '.
'"http://phabricator3.example.com/]"',
'"http://phabricator3.example.com/"]',
pht('Valid Setting')),
$this->newOption('phabricator.timezone', 'string', null)
->setSummary(