Actually check CSRF on Password and LDAP forms

Summary: Ref T4339. We didn't previously check `isFormPost()` on these, but now should. Test Plan: Changed csrf token on login, got kicked out. Reviewers: btrahan, chad Reviewed By: chad CC: aran Maniphest Tasks: T4339 Differential Revision: https://secure.phabricator.com/D8051
2024-12-30 09:20:58 +01:00 · 2014-01-23 14:18:26 -08:00 · 2014-01-23 14:18:26 -08:00 · febc494737
commit febc494737
parent 5b1d9c935a
2 changed files with 35 additions and 30 deletions
--- a/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderLDAP.php
@ -150,25 +150,27 @@ final class PhabricatorAuthProviderLDAP
      return array($account, $response);
    }
-    try {
+    if ($request->isFormPost()) {
-      if (strlen($username) && $has_password) {
+      try {
-        $adapter = $this->getAdapter();
+        if (strlen($username) && $has_password) {
-        $adapter->setLoginUsername($username);
+          $adapter = $this->getAdapter();
-        $adapter->setLoginPassword($password);
+          $adapter->setLoginUsername($username);
          $adapter->setLoginPassword($password);
-        // TODO: This calls ldap_bind() eventually, which dumps cleartext
+          // TODO: This calls ldap_bind() eventually, which dumps cleartext
-        // passwords to the error log. See note in PhutilAuthAdapterLDAP.
+          // passwords to the error log. See note in PhutilAuthAdapterLDAP.
-        // See T3351.
+          // See T3351.
-        DarkConsoleErrorLogPluginAPI::enableDiscardMode();
+          DarkConsoleErrorLogPluginAPI::enableDiscardMode();
-          $account_id = $adapter->getAccountID();
+            $account_id = $adapter->getAccountID();
-        DarkConsoleErrorLogPluginAPI::disableDiscardMode();
+          DarkConsoleErrorLogPluginAPI::disableDiscardMode();
-      } else {
+        } else {
-        throw new Exception("Username and password are required!");
+          throw new Exception("Username and password are required!");
        }
      } catch (Exception $ex) {
        // TODO: Make this cleaner.
        throw $ex;
      }
    } catch (Exception $ex) {
      // TODO: Make this cleaner.
      throw $ex;
    }
    return array($this->loadOrCreateAccount($account_id), $response);
--- a/src/applications/auth/provider/PhabricatorAuthProviderPassword.php
+++ b/src/applications/auth/provider/PhabricatorAuthProviderPassword.php
@ -163,22 +163,25 @@ final class PhabricatorAuthProviderPassword
    $account = null;
    $log_user = null;
-    if (!$require_captcha || $captcha_valid) {
+    if ($request->isFormPost()) {
-      $username_or_email = $request->getStr('username');
+      if (!$require_captcha || $captcha_valid) {
-      if (strlen($username_or_email)) {
+        $username_or_email = $request->getStr('username');
-        $user = id(new PhabricatorUser())->loadOneWhere(
+        if (strlen($username_or_email)) {
-          'username = %s',
+          $user = id(new PhabricatorUser())->loadOneWhere(
-          $username_or_email);
+            'username = %s',
            $username_or_email);
-        if (!$user) {
+          if (!$user) {
-          $user = PhabricatorUser::loadOneWithEmailAddress($username_or_email);
+            $user = PhabricatorUser::loadOneWithEmailAddress(
-        }
+              $username_or_email);
          }
-        if ($user) {
+          if ($user) {
-          $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
+            $envelope = new PhutilOpaqueEnvelope($request->getStr('password'));
-          if ($user->comparePassword($envelope)) {
+            if ($user->comparePassword($envelope)) {
-            $account = $this->loadOrCreateAccount($user->getPHID());
+              $account = $this->loadOrCreateAccount($user->getPHID());
-            $log_user = $user;
+              $log_user = $user;
            }
          }
        }
      }