Store the digest of the registration key, not the key itslef

Summary: Ref T1536. Like D6080, we don't need to store the registration key itself. This prevents a theoretical attacker who can read the database but not write to it from hijacking registrations. Test Plan: Registered a new account. Reviewers: btrahan Reviewed By: btrahan CC: aran Maniphest Tasks: T1536 Differential Revision: https://secure.phabricator.com/D6188
2024-11-22 23:02:42 +01:00 · 2013-06-16 10:19:31 -07:00 · 2013-06-16 10:19:31 -07:00 · e71564fc75
commit e71564fc75
parent 8c3ef4b73c
2 changed files with 10 additions and 2 deletions
--- a/src/applications/auth/controller/PhabricatorAuthLoginController.php
+++ b/src/applications/auth/controller/PhabricatorAuthLoginController.php
@ -123,7 +123,9 @@ final class PhabricatorAuthLoginController
    // key.

    $registration_key = Filesystem::readRandomCharacters(32);
-    $account->setProperty('registrationKey', $registration_key);
+    $account->setProperty(
+      'registrationKey',
+      PhabricatorHash::digest($registration_key));

    $unguarded = AphrontWriteGuard::beginScopedUnguardedWrites();
      $account->save();
--- a/src/applications/auth/controller/PhabricatorAuthRegisterController.php
+++ b/src/applications/auth/controller/PhabricatorAuthRegisterController.php
@ -359,7 +359,13 @@ final class PhabricatorAuthRegisterController
          'Check that cookies are enabled and try again.'));
    }

-    if ($registration_key != $account->getProperty('registrationKey')) {
+    // We store the digest of the key rather than the key itself to prevent a
+    // theoretical attacker with read-only access to the database from
+    // hijacking registration sessions.
+
+    $actual = $account->getProperty('registrationKey');
+    $expect = PhabricatorHash::digest($registration_key);
+    if ($actual !== $expect) {
      return $this->renderError(
        pht(
          'Your browser submitted a different registration key than the one '.