Unbreak OAuth Registration

Summary:
@vrana patched an important external-CSRF-leaking hole recently (D1558), but
since we are sloppy in building this form it got caught in the crossfire.

We set action to something like "http://this.server.com/oauth/derp/", but that
triggers CSRF protection by removing CSRF tokens from the form. This makes OAuth
login not work.

Instead, use the local path only so we generate a CSRF token.

Test Plan: Registered locally via oauth.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran, epriestley, demo

Maniphest Tasks: T853

Differential Revision: https://secure.phabricator.com/D1597

src/applications/auth/controller/oauthregistration/default/PhabricatorOAuthDefaultRegistrationController.php

@@ -121,13 +121,19 @@ class PhabricatorOAuthDefaultRegistrationController
       $error_view->setErrors($errors);
     }
 
+    // Strip the URI down to the path, because otherwise we'll trigger
+    // external CSRF protection (by having a protocol in the form "action")
+    // and generate a form with no CSRF token.
+    $action_uri = new PhutilURI($provider->getRedirectURI());
+    $action_path = $action_uri->getPath();
+
     $form = new AphrontFormView();
     $form
       ->addHiddenInput('token', $provider->getAccessToken())
       ->addHiddenInput('expires', $oauth_info->getTokenExpires())
       ->addHiddenInput('state', $this->getOAuthState())
       ->setUser($request->getUser())
-      ->setAction($provider->getRedirectURI())
+      ->setAction($action_path)
       ->appendChild(
         id(new AphrontFormTextControl())
           ->setLabel('Username')

src/applications/auth/controller/oauthregistration/default/__init__.php

@@ -16,6 +16,7 @@ phutil_require_module('phabricator', 'view/form/control/text');
 phutil_require_module('phabricator', 'view/form/error');
 phutil_require_module('phabricator', 'view/layout/panel');
 
+phutil_require_module('phutil', 'parser/uri');
 phutil_require_module('phutil', 'utils');