revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2025-01-20 19:51:08 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/applications
History
epriestley 1f4cf23455 Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256 
Summary:
Ref T12509.

  - Remove the "phabricator.csrf-key" configuration option in favor of automatically generating an HMAC key.
  - Upgrade two hasher callsites (one in CSRF itself, one in providing a CSRF secret for logged-out users) to SHA256.
  - Extract the CSRF logic from `PhabricatorUser` to a standalone engine.

I was originally going to do this as two changes (extract logic, then upgrade hashes) but the logic had a couple of very silly pieces to it that made faithful extraction a little silly.

For example, it computed `time_block = (epoch + (offset * cycle_frequency)) / cycle_frequency` instead of `time_block = (epoch / cycle_frequency) + offset`. These are equivalent but the former was kind of silly.

It also computed `substr(hmac(substr(hmac(secret)).salt))` instead of `substr(hmac(secret.salt))`. These have the same overall effect but the former is, again, kind of silly (and a little bit materially worse, in this case).

This will cause a one-time compatibility break: pages loaded before the upgrade won't be able to submit contained forms after the upgrade, unless they're open for long enough for the Javascript to refresh the CSRF token (an hour, I think?). I'll note this in the changelog.

Test Plan:
  - As a logged-in user, submitted forms normally (worked).
  - As a logged-in user, submitted forms with a bad CSRF value (error, as expected).
  - As a logged-out user, hit the success and error cases.
  - Visually inspected tokens for correct format.

Reviewers: amckinley

Reviewed By: amckinley

Maniphest Tasks: T12509

Differential Revision: https://secure.phabricator.com/D19946
2019-01-04 13:49:47 -08:00
..
almanac Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
aphlict Add a CLI workflow for testing that notifications are being delivered 2018-12-10 16:05:53 -08:00
arcanist/conduit Remove remaining arcanist project code 2015-07-08 19:37:28 +10:00
audit Remove "willRenderTimeline()" from ApplicationTransactionInterface 2018-12-20 14:55:07 -08:00
auth Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256 2019-01-04 13:49:47 -08:00
badges Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
base Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256 2019-01-04 13:49:47 -08:00
cache Remove an old digest in Celerity code and some obsolete configuration options 2019-01-04 13:43:38 -08:00
calendar Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
celerity Remove an old digest in Celerity code and some obsolete configuration options 2019-01-04 13:43:38 -08:00
chatlog Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
conduit Raise warning when accidentally submitting Conduit parameters as a JSON-encoded body 2019-01-02 17:31:16 -08:00
config Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256 2019-01-04 13:49:47 -08:00
conpherence Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
console Fix some minor errors (DarkConsole warning, unstable Ferret sort) 2018-03-18 15:12:25 -07:00
countdown Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
daemon Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
dashboard Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
differential Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
diffusion Remove "willRenderTimeline()" from ApplicationTransactionInterface 2018-12-20 14:55:07 -08:00
diviner Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
doorkeeper Allow Doorkeeper references to have multiple display variations (full, short, etc.) 2018-03-13 11:29:52 -07:00
draft/storage When purging drafts after a transaction edit, purge all drafts 2018-02-11 06:01:09 -08:00
drydock Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
fact Remove all application callers to "putInSet()" 2018-12-12 16:41:12 -08:00
favorites Add some missing aural button labels for accessibility 2018-08-17 11:00:29 -07:00
feed Separate "feed" and "notifications" better, allow stories to appear in notifications only 2018-12-10 16:02:43 -08:00
files Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
flag Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
fund Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
guides Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
harbormaster Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
help Redesign header menus and search 2017-01-17 12:13:06 -08:00
herald In Webhooks, give errors human-readable labels and show reminder text for "Silent Mode" 2018-12-28 00:05:46 -08:00
home Update menu item names for Applications -> Favorites 2017-09-05 19:05:03 -07:00
legalpad Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
lipsum Add "--force" and "--quickly" flags to bin/lipsum 2017-02-27 09:09:41 -08:00
macro Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
maniphest Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest 2018-12-28 00:10:54 -08:00
meta Modularize Repository transactions 2018-11-28 14:29:18 -08:00
metamta Upgrade object reply addresses to SHA256 and remove "phabricator.mail-key" 2019-01-04 13:47:35 -08:00
multimeter Continue cleaning up queries in the wake of changes to "%Q" 2018-11-16 12:49:44 -08:00
notification Remove obsolete "NotifyTest" feed story 2018-12-10 16:03:42 -08:00
nuance Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
oauthserver Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
owners Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
packages Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
passphrase Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
paste Remove the "willApplyTransactions()" hook from ApplicationTransactionEditor 2018-12-28 00:19:38 -08:00
people Remove "phabricator.csrf-key" and upgrade CSRF hashing to SHA256 2019-01-04 13:49:47 -08:00
phame Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
phid Truncate package names in diff table of contents views 2018-06-07 13:17:01 -07:00
phlux Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
pholio Restore a Mock key to Pholio Images 2018-12-28 00:03:48 -08:00
phortune Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
phpast Update phpast for new UI 2016-04-05 13:52:59 -07:00
phragment Update many Phabricator queries for new %Q query semantics 2018-11-15 03:48:10 -08:00
phrequent Remove old Phrequent propery rendering code and show "Time Spent" in higher precision 2018-12-28 00:07:25 -08:00
phriction Fix the last remaining (?) continue inside switch 2018-12-28 00:04:25 -08:00
phurl Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
policy Extend PhabricatorPolicyCodex interface to handle "interesting" policy defaults 2018-04-27 16:56:11 -07:00
ponder Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
project Add status to PhabricatorProjectQuery->getPagingValueMap() 2019-01-03 11:34:24 -08:00
releeph Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
remarkup/conduit
repository Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
search Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
settings Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
slowvote Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
spaces Remove "getApplicationTransactionObject()" from ApplicationTransactionInterface 2018-12-20 15:16:19 -08:00
subscriptions Allow objects to be put in an "MFA required for all interactions" mode, and support "MFA required" statuses in Maniphest 2018-12-28 00:10:54 -08:00
support/application
system Update PhabricatorLiskDAO::chunkSQL() for new %Q semantics 2018-11-13 08:59:18 -08:00
tokens Allow tokens to be awarded to MFA-required objects 2018-12-28 00:14:48 -08:00
transactions Pass timeline view data to comment previews, restoring Differential comment previews 2019-01-03 13:06:54 -08:00
typeahead Rename "PHUIDocumentViewPro" to "PHUIDocumentView" 2018-08-28 14:53:07 -07:00
uiexample Reduce the cost of generating default user profile images 2018-03-01 16:53:17 -08:00
xhprof Allow XHProf profiles to be drag-and-dropped to upload them 2017-02-23 11:16:19 -08:00