phorge-phorge

1671 commits 3 branches 7 tags 153 MiB

Author	SHA1	Message	Date
Bob Trahan	5ba9edff51	OAuth -- generalize / refactor providers and diagnostics page Summary: split out from D1595 Test Plan: oauth/facebook/diagnose still looks good! Reviewers: epriestley Reviewed By: epriestley CC: aran, epriestley Differential Revision: https://secure.phabricator.com/D1632	2012-02-17 11:13:51 -08:00
epriestley	6e713ad784	Don't reveal oauth application token information Summary: There's an OAuth diagnostics page at /oauth/facebook/diagnose/, which shows some diagnostic information. Currently, it attempts to establish an application token session and shows the token if it is successful. An attacker could use this to do vaguely nefarious things (retreive application statistics, I think?). This interface was originally admin-only but then I threw out the very silly admin mode patch I had at the time and we currently have no admin mode, and thus this interface is public. This token isn't useful in diagnosis anyway, so don't reveal it. Test Plan: Visited oauth diagnostics page, no token revealed Reviewed By: tuomaspelkonen Reviewers: tuomaspelkonen, jungejason CC: tuomaspelkonen Differential Revision: 136	2011-04-14 13:32:49 -07:00
epriestley	c3c16d0ac0	Github OAuth Summary: Test Plan: Reviewers: CC:	2011-02-21 00:23:24 -08:00

Author

SHA1

Message

Date

Bob Trahan

5ba9edff51

OAuth -- generalize / refactor providers and diagnostics page

Summary: split out from D1595

Test Plan: oauth/facebook/diagnose still looks good!

Reviewers: epriestley

Reviewed By: epriestley

CC: aran, epriestley

Differential Revision: https://secure.phabricator.com/D1632

2012-02-17 11:13:51 -08:00

epriestley

6e713ad784

Don't reveal oauth application token information

Summary:
There's an OAuth diagnostics page at /oauth/facebook/diagnose/, which
shows some diagnostic information. Currently, it attempts to establish an
application token session and shows the token if it is successful. An attacker
could use this to do vaguely nefarious things (retreive application statistics,
I think?).

This interface was originally admin-only but then I threw out the very silly
admin mode patch I had at the time and we currently have no admin mode, and
thus this interface is public. This token isn't useful in diagnosis anyway,
so don't reveal it.

Test Plan:
Visited oauth diagnostics page, no token revealed

Reviewed By: tuomaspelkonen
Reviewers: tuomaspelkonen, jungejason
CC: tuomaspelkonen
Differential Revision: 136

2011-04-14 13:32:49 -07:00

epriestley

c3c16d0ac0

Github OAuth

Summary:

Test Plan:

Reviewers:

CC:

2011-02-21 00:23:24 -08:00

Renamed from src/applications/auth/controller/facebookauth/diagnostics/PhabricatorFacebookAuthDiagnosticsController.php (Browse further)

3 commits