mirror of
https://we.phorge.it/source/phorge.git
synced 2024-12-23 05:50:55 +01:00
No description
38c83ef846
Summary: Django released a security update recently dealing with malicious "Host" headers: https://www.djangoproject.com/weblog/2012/oct/17/security/ We're vulnerable to the same attack. Plug the hole. The risk here is that an attacker does something like this: # Register "evil.com". # Point it at secure.phabricator.com in DNS. # Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com". # They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize. # The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request. Test Plan: Unit tests. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D3766 |
||
---|---|---|
bin | ||
conf | ||
externals | ||
resources | ||
scripts | ||
src | ||
support | ||
webroot | ||
.arcconfig | ||
.divinerconfig | ||
.gitignore | ||
.gitmodules | ||
README |
Phabricator is a open source collection of web applications which make it easier to write, review, and share source code. Phabricator was developed at Facebook. This is an early release. It's pretty high-quality and usable, but under active development so things may change quickly. You can learn more about the project and find links to documentation and resources at: http://phabricator.org/ LICENSE Phabricator is released under the Apache 2.0 license except as otherwise noted. http://www.apache.org/licenses/LICENSE-2.0