1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-14 10:52:41 +01:00
Commit graph

2 commits

Author SHA1 Message Date
epriestley
6e713ad784 Don't reveal oauth application token information
Summary:
There's an OAuth diagnostics page at /oauth/facebook/diagnose/, which
shows some diagnostic information. Currently, it attempts to establish an
application token session and shows the token if it is successful. An attacker
could use this to do vaguely nefarious things (retreive application statistics,
I think?).

This interface was originally admin-only but then I threw out the very silly
admin mode patch I had at the time and we currently have no admin mode, and
thus this interface is public. This token isn't useful in diagnosis anyway,
so don't reveal it.

Test Plan:
Visited oauth diagnostics page, no token revealed

Reviewed By: tuomaspelkonen
Reviewers: tuomaspelkonen, jungejason
CC: tuomaspelkonen
Differential Revision: 136
2011-04-14 13:32:49 -07:00
epriestley
c3c16d0ac0 Github OAuth
Summary:

Test Plan:

Reviewers:

CC:
2011-02-21 00:23:24 -08:00
Renamed from src/applications/auth/controller/facebookauth/diagnostics/PhabricatorFacebookAuthDiagnosticsController.php (Browse further)