1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications
epriestley 152f05aebe Fix some security issues with email password resets
Summary:
Via HackerOne, there are two related low-severity issues with this workflow:

  - We don't check if you're already logged in, so an attacker can trick a victim (whether they're logged in or not) into clicking a reset link for an account the attacker controls (maybe via an invisible iframe) and log the user in under a different account.
  - We don't check CSRF tokens either, so after fixing the first thing, an attacker can still trick a //logged-out// victim in the same way.

It's not really clear that doing this opens up any significant attacks afterward, but both of these behaviors aren't good.

I'll probably land this for audit in a few hours if @btrahan doesn't have a chance to take a look at it since he's probably on a plane for most of the day, I'm pretty confident it doesn't break anything.

Test Plan:
  - As a logged-in user, clicked another user's password reset link and was not logged in.
  - As a logged-out user, clicked a password reset link and needed to submit a form to complete the workflow.

Reviewers: btrahan

CC: chad, btrahan, aran

Differential Revision: https://secure.phabricator.com/D8079
2014-01-27 16:53:04 -08:00
..
arcanist/conduit Move Conduit methods inside applications 2012-12-21 12:21:59 -08:00
audit Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
auth Fix some security issues with email password resets 2014-01-27 16:53:04 -08:00
base Don't try to set anonymous session cookie on CDN/file domain 2014-01-24 12:29:03 -08:00
cache Complete modularization of the GC daemon 2014-01-15 10:02:31 -08:00
calendar Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
chatlog Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
conduit Complete modularization of the GC daemon 2014-01-15 10:02:31 -08:00
config Mailgun receive support 2014-01-21 10:36:33 -08:00
conpherence Fix two issues with creating Conpherence threads via mail on some configurations 2013-12-12 10:59:28 -08:00
countdown Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
daemon Do not perform write in PhabricatorDaemonLogQuery by default 2014-01-21 14:04:12 -08:00
differential Wrong method name. 2014-01-26 15:30:38 -08:00
diffusion Don't let Diffusion show that an importing repository is "100%" imported 2014-01-24 12:29:13 -08:00
diviner Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
doorkeeper Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
draft/storage Add draft support to ApplicationTransactions 2012-12-21 05:57:14 -08:00
drydock Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
fact Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
feed Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
files Complete modularization of the GC daemon 2014-01-15 10:02:31 -08:00
flag Work around a bug in PHP 5.3-ish with abstract methods in interfaces 2013-10-25 15:58:17 -07:00
harbormaster Improve several exception behaviors for Harbormaster workers 2014-01-13 12:21:49 -08:00
help/controller Make Differential views capability-sensitive 2013-09-26 18:45:04 -07:00
herald Modularize the Garbage Collector 2014-01-15 10:02:24 -08:00
home Allow logged-out users to view the homepage 2014-01-26 15:28:55 -08:00
legalpad Legalpad - style NOTE IMPORTANT WARNING remarkup slightly differently 2014-01-24 12:50:33 -08:00
lipsum Extend all "ManagementWorkflow" classes from a base class 2013-12-27 13:15:40 -08:00
macro Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
mailinglists Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
maniphest Burnup report showing decimals on hover 2014-01-27 13:51:19 -08:00
meta Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
metamta Mailgun receive support 2014-01-21 10:36:33 -08:00
notification Add dates to notifications page 2014-01-22 20:09:32 -08:00
nuance Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
oauthserver Initialize used variable 2013-07-09 21:55:27 -07:00
owners Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
passphrase Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
paste Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
people Deprecate user.find 2014-01-25 14:23:39 -08:00
phame Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
phid Make Drydock Lease and Resource PHIDs use newer PHID infrastructure 2013-12-26 12:29:58 -08:00
phlux Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
pholio Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
phortune Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
phpast Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
phragment Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
phrequent Lock policy queries to their applications 2013-10-21 17:20:27 -07:00
phriction Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
policy Legalpad - add policy rule for legalpad document signatures 2014-01-15 16:48:44 -08:00
ponder Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
project Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
releeph Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
remarkup/conduit Support processing Remarkup in bulk with remarkup.processbulk Conduit method 2013-11-02 16:30:11 -07:00
repository Update DifferentialDiff: add repositoryPHID, drop parentRevisionID 2014-01-26 15:29:22 -08:00
search Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
settings Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
slowvote Simplify PHUIObjectBoxViews handling of Save and Error states 2014-01-10 09:17:37 -08:00
subscriptions Tie application event listeners to the applications they listen for 2013-10-21 17:00:21 -07:00
system Replace some hsprintf() by phutil_tag() 2013-11-11 09:23:23 -08:00
tokens Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
transactions Perform search indexing in the worker queue and respect bin/search index --background 2014-01-14 13:22:56 -08:00
typeahead Legalpad - add policy rule for legalpad document signatures 2014-01-15 16:48:44 -08:00
uiexample Add OK icon. It's ok. 2014-01-15 08:00:55 -08:00
xhprof Make most file reads policy-aware 2013-09-30 09:38:13 -07:00