1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-11 07:11:04 +01:00

Polish removal of conduit shield, including legacy stripping for phabricator on phabricator oauth scenarios

Summary: ...just in case that stuff happens in the "wild". also cleaned up the logic here since we no longer have the conduit conditionality.

Test Plan: made sure I didn't break JS on the site. reasoned about logic of my function and asking people PHP typing questions in job interviews.

Reviewers: epriestley, vrana

Reviewed By: epriestley

CC: aran, Korvin

Maniphest Tasks: T891

Differential Revision: https://secure.phabricator.com/D3269
This commit is contained in:
Bob Trahan 2012-08-13 16:05:56 -07:00
parent 8b8549128f
commit 7bb3c39cde
4 changed files with 8 additions and 8 deletions

View file

@ -67,7 +67,7 @@ final class AphrontAjaxResponse extends AphrontResponse {
$this->error);
$response_json = $this->encodeJSONForHTTPResponse($object);
return $this->addJSONShield($response_json, $use_javelin_shield = true);
return $this->addJSONShield($response_json);
}
public function getHeaders() {

View file

@ -44,7 +44,7 @@ final class AphrontJSONResponse extends AphrontResponse {
public function buildResponseString() {
$response = $this->encodeJSONForHTTPResponse($this->content);
if ($this->shouldAddJSONShield()) {
$response = $this->addJSONShield($response, $use_javelin_shield = false);
$response = $this->addJSONShield($response);
}
return $response;
}

View file

@ -85,7 +85,7 @@ abstract class AphrontResponse {
return $response;
}
protected function addJSONShield($json_response, $use_javelin_shield) {
protected function addJSONShield($json_response) {
// Add a shield to prevent "JSON Hijacking" attacks where an attacker
// requests a JSON response using a normal <script /> tag and then uses
@ -93,11 +93,7 @@ abstract class AphrontResponse {
// This header causes the browser to loop infinitely instead of handing over
// sensitive data.
// TODO: This is massively stupid: Javelin and Conduit use different
// shields.
$shield = $use_javelin_shield
? 'for (;;);'
: 'for(;;);';
$shield = 'for (;;);';
$response = $shield.$json_response;

View file

@ -104,6 +104,10 @@ extends PhabricatorOAuthProvider {
}
public function setUserData($data) {
// legacy conditionally strip shield. see D3265 for discussion.
if (strpos($data, 'for(;;);') === 0) {
$data = substr($data, 8);
}
$data = idx(json_decode($data, true), 'result');
$this->validateUserData($data);
$this->userData = $data;