mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 14:00:56 +01:00
Refine error messages for CSRF exceptions
Summary: See T489. Provide slightly more detail so we can figure out if there's a real issue here. Test Plan: Hit URIs like: /differential/comment/preview/29/ /differential/comment/preview/29/?__ajax__=1 /differential/comment/preview/29/?__csrf__=1 ..and got appropriate error messages. Reviewers: jungejason Reviewed By: jungejason CC: aran, jungejason Differential Revision: 884
This commit is contained in:
parent
83f1140785
commit
c2fef51b3d
1 changed files with 18 additions and 1 deletions
|
@ -145,6 +145,22 @@ class AphrontRequest {
|
|||
|
||||
$valid = $this->getUser()->validateCSRFToken($token);
|
||||
if (!$valid) {
|
||||
|
||||
// Add some diagnostic details so we can figure out if some CSRF issues
|
||||
// are JS problems or people accessing Ajax URIs directly with their
|
||||
// browsers.
|
||||
if ($token) {
|
||||
$token_info = "with an invalid CSRF token";
|
||||
} else {
|
||||
$token_info = "without a CSRF token";
|
||||
}
|
||||
|
||||
if ($this->isAjax()) {
|
||||
$more_info = "(This was an Ajax request, {$token_info}.)";
|
||||
} else {
|
||||
$more_info = "(This was a web request, {$token_info}.)";
|
||||
}
|
||||
|
||||
// This should only be able to happen if you load a form, pull your
|
||||
// internet for 6 hours, and then reconnect and immediately submit,
|
||||
// but give the user some indication of what happened since the workflow
|
||||
|
@ -155,7 +171,8 @@ class AphrontRequest {
|
|||
"certain type of login hijacking attack. However, the token can ".
|
||||
"become invalid if you leave a page open for more than six hours ".
|
||||
"without a connection to the internet. To fix this problem: reload ".
|
||||
"the page, and then resubmit it.");
|
||||
"the page, and then resubmit it.\n\n".
|
||||
$more_info);
|
||||
}
|
||||
|
||||
return true;
|
||||
|
|
Loading…
Reference in a new issue