Actually check CSRF on Password and LDAP forms

Summary: Ref T4339. We didn't previously check `isFormPost()` on these, but now should. Test Plan: Changed csrf token on login, got kicked out. Reviewers: btrahan, chad Reviewed By: chad CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8051
2024-09-19 16:58:48 +02:00 · 2014-01-23 14:18:26 -08:00 · 2014-01-23 14:18:26 -08:00 · febc494737
commit febc494737
parent 5b1d9c935a
2 changed files with 35 additions and 30 deletions
--- a/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php
@ -150,25 +150,27 @@ final class PhabricatorAuthProviderLDAP
      return array($account, $response);
    }

-    try {
-      if (strlen($username) && $has_password) {
-        $adapter = $this->getAdapter();
-        $adapter->setLoginUsername($username);
-        $adapter->setLoginPassword($password);
+    if ($request->isFormPost()) {
+      try {
+        if (strlen($username) && $has_password) {
+          $adapter = $this->getAdapter();
+          $adapter->setLoginUsername($username);
+          $adapter->setLoginPassword($password);

-        // TODO: This calls ldap_bind() eventually, which dumps cleartext
-        // passwords to the error log. See note in PhutilAuthAdapterLDAP.
-        // See T3351.
+          // TODO: This calls ldap_bind() eventually, which dumps cleartext
+          // passwords to the error log. See note in PhutilAuthAdapterLDAP.
+          // See T3351.

-        DarkConsoleErrorLogPluginAPI::enableDiscardMode();
-          $account_id = $adapter->getAccountID();
-        DarkConsoleErrorLogPluginAPI::disableDiscardMode();
-      } else {
-        throw new Exception("Username and password are required!");
+          DarkConsoleErrorLogPluginAPI::enableDiscardMode();
+            $account_id = $adapter->getAccountID();
+          DarkConsoleErrorLogPluginAPI::disableDiscardMode();
+        } else {
+          throw new Exception("Username and password are required!");
+        }
+      } catch (Exception $ex) {
+        // TODO: Make this cleaner.
+        throw $ex;
      }
-    } catch (Exception $ex) {
-      // TODO: Make this cleaner.
-      throw $ex;
    }

    return array($this->loadOrCreateAccount($account_id), $response);
--- a/src/applications/auth/provider/PhabricatorAuthProviderPassword.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderPassword.php
@ -163,22 +163,25 @@ final class PhabricatorAuthProviderPassword
    $account = null;
    $log_user = null;

-    if (!$require_captcha || $captcha_valid) {
-      $username_or_email = $request->getStr('username');
-      if (strlen($username_or_email)) {
-        $user = id(new PhabricatorUser())->loadOneWhere(
-          'username = %s',
-          $username_or_email);
+    if ($request->isFormPost()) {
+      if (!$require_captcha || $captcha_valid) {
+        $username_or_email = $request->getStr('username');
+        if (strlen($username_or_email)) {
+          $user = id(new PhabricatorUser())->loadOneWhere(
+            'username = %s',
+            $username_or_email);

-        if (!$user) {
-          $user = PhabricatorUser::loadOneWithEmailAddress($username_or_email);
-        }
+          if (!$user) {
+            $user = PhabricatorUser::loadOneWithEmailAddress(
+              $username_or_email);
+          }

-        if ($user) {
-          $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
-          if ($user->comparePassword($envelope)) {
-            $account = $this->loadOrCreateAccount($user->getPHID());
-            $log_user = $user;
+          if ($user) {
+            $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
+            if ($user->comparePassword($envelope)) {
+              $account = $this->loadOrCreateAccount($user->getPHID());
+              $log_user = $user;
+            }
          }
        }
      }