1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-30 09:20:58 +01:00

Actually check CSRF on Password and LDAP forms

Summary: Ref T4339. We didn't previously check `isFormPost()` on these, but now should.

Test Plan: Changed csrf token on login, got kicked out.

Reviewers: btrahan, chad

Reviewed By: chad

CC: aran

Maniphest Tasks: T4339

Differential Revision: https://secure.phabricator.com/D8051
This commit is contained in:
epriestley 2014-01-23 14:18:26 -08:00
parent 5b1d9c935a
commit febc494737
2 changed files with 35 additions and 30 deletions

View file

@ -150,6 +150,7 @@ final class PhabricatorAuthProviderLDAP
return array($account, $response); return array($account, $response);
} }
if ($request->isFormPost()) {
try { try {
if (strlen($username) && $has_password) { if (strlen($username) && $has_password) {
$adapter = $this->getAdapter(); $adapter = $this->getAdapter();
@ -170,6 +171,7 @@ final class PhabricatorAuthProviderLDAP
// TODO: Make this cleaner. // TODO: Make this cleaner.
throw $ex; throw $ex;
} }
}
return array($this->loadOrCreateAccount($account_id), $response); return array($this->loadOrCreateAccount($account_id), $response);
} }

View file

@ -163,6 +163,7 @@ final class PhabricatorAuthProviderPassword
$account = null; $account = null;
$log_user = null; $log_user = null;
if ($request->isFormPost()) {
if (!$require_captcha || $captcha_valid) { if (!$require_captcha || $captcha_valid) {
$username_or_email = $request->getStr('username'); $username_or_email = $request->getStr('username');
if (strlen($username_or_email)) { if (strlen($username_or_email)) {
@ -171,7 +172,8 @@ final class PhabricatorAuthProviderPassword
$username_or_email); $username_or_email);
if (!$user) { if (!$user) {
$user = PhabricatorUser::loadOneWithEmailAddress($username_or_email); $user = PhabricatorUser::loadOneWithEmailAddress(
$username_or_email);
} }
if ($user) { if ($user) {
@ -183,6 +185,7 @@ final class PhabricatorAuthProviderPassword
} }
} }
} }
}
if (!$account) { if (!$account) {
if ($request->isFormPost()) { if ($request->isFormPost()) {