revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-25 22:18:19 +01:00
Code Issues Releases Wiki Activity

Security - disable conduit act as user by default

Browse source 
Summary: Introduce a new configuration setting that by default disables the conduit as as user method. Wordily explain that turning it on is not recommended. Fixes T3818.

Test Plan:
```
15:25:19 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)
~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-tghb3b2gbdyezdcuw2or","userName":"btrahan","realName":"Bob Trahan","image":"http:\/\/phalanx.dev\/file\/data\/yncjbh7phk7ktrdhuorn\/PHID-FILE-qyf4ui3x2ll3e52hpg5e\/profile-profile-gravatar","uri":"http:\/\/phalanx.dev\/p\/btrahan\/","roles":["admin","verified","approved","activated"]}}
15:25:34 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<go edit libconfig/conduitclient to spoof another user...>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":"ERR-CONDUIT-CORE","errorMessage":"ERR-CONDUIT-CORE: security.allow-conduit-act-as-user is disabled","response":null}
15:26:40 ~/Dropbox/code/phalanx/src/applications/conduit (T3818)

<enable option via bin/config....>

~>  echo '{}' | arc call-conduit --conduit-uri http://phalanx.dev/ user.whoami
Waiting for JSON parameters on stdin...
{"error":null,"errorMessage":null,"response":{"phid":"PHID-USER-6lcglnzbkiamdofishgi","userName":"xerxes","realName":"Xerxes Trahan","image":"http:\/\/phalanx.dev\/file\/data\/n2kyeevowetcuynbcxrg\/PHID-FILE-voquikectzpde256zzvm\/profile-1275455993.jpg","uri":"http:\/\/phalanx.dev\/p\/xerxes\/","roles":["verified","approved","activated"]}}
```

Reviewers: epriestley

Reviewed By: epriestley

Subscribers: jevripio, sowedance, epriestley, Korvin

Maniphest Tasks: T3818

Differential Revision: https://secure.phabricator.com/D9881
This commit is contained in:
Bob Trahan 2014-07-10 15:43:53 -07:00
parent fae23e0860
commit e281c5ee90
2 changed files with 22 additions and 1 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

5
src/applications/conduit/controller/PhabricatorConduitAPIController.php
View file

@ -164,6 +164,11 @@ final class PhabricatorConduitAPIController
ConduitAPIRequest $api_request, ConduitAPIRequest $api_request,
$user_name) { $user_name) {
$config_key = 'security.allow-conduit-act-as-user';
if (!PhabricatorEnv::getEnvConfig($config_key)) {
throw new Exception('security.allow-conduit-act-as-user is disabled');
}
if (!$api_request->getUser()->getIsAdmin()) { if (!$api_request->getUser()->getIsAdmin()) {
throw new Exception('Only administrators can use actAsUser'); throw new Exception('Only administrators can use actAsUser');
} }

18
src/applications/config/option/PhabricatorSecurityConfigOptions.php
View file

@ -219,11 +219,27 @@ final class PhabricatorSecurityConfigOptions
)) ))
->setLocked(true) ->setLocked(true)
->setSummary( ->setSummary(
pht('Allow outbound HTTP requests')) pht('Allow outbound HTTP requests.'))
->setDescription( ->setDescription(
pht( pht(
'If you enable this, you are allowing Phabricator to '. 'If you enable this, you are allowing Phabricator to '.
'potentially make requests to external servers.')), 'potentially make requests to external servers.')),
$this->newOption('security.allow-conduit-act-as-user', 'bool', false)
->setBoolOptions(
array(
pht('Allow'),
pht('Disallow'),
))
->setLocked(true)
->setSummary(
pht('Allow administrators to use the Conduit API as other users.'))
->setDescription(
pht(
'DEPRECATED - if you enable this, you are allowing '.
'administrators to act as any user via the Conduit API. '.
'Enabling this is not advised as it introduces a huge policy '.
'violation and has been obsoleted in functionality.')),
); );
} }