1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 05:50:55 +01:00
No description
Find a file
epriestley 38c83ef846 Defuse a "Host:" header attack
Summary:
Django released a security update recently dealing with malicious "Host" headers:

https://www.djangoproject.com/weblog/2012/oct/17/security/

We're vulnerable to the same attack. Plug the hole.

The risk here is that an attacker does something like this:

  # Register "evil.com".
  # Point it at secure.phabricator.com in DNS.
  # Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com".
  # They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize.
  # The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request.

Test Plan: Unit tests.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Differential Revision: https://secure.phabricator.com/D3766
2012-10-22 10:49:06 -07:00
bin Add a basic "fact" application 2012-07-27 13:34:21 -07:00
conf Allow blog resources to be served without Celerity 2012-10-17 08:37:05 -07:00
externals Use JX.Request.setRawData() 2012-10-20 10:53:51 -07:00
resources Make posts 1:1 with blogs and implement policy controls 2012-10-15 14:50:04 -07:00
scripts Generate Releeph GLYPHICON 2012-10-21 15:56:17 -07:00
src Defuse a "Host:" header attack 2012-10-22 10:49:06 -07:00
support Allow simple template-based skin definitions 2012-10-17 08:36:48 -07:00
webroot Generate Releeph GLYPHICON 2012-10-21 15:56:17 -07:00
.arcconfig Remove "remote_hooks_installed" from phabricator/.arcconfig 2012-07-24 07:19:15 -07:00
.divinerconfig Centralize rendering of application mail bodies 2012-07-16 19:01:43 -07:00
.gitignore Remove support for custom logos 2012-07-30 11:09:28 -07:00
.gitmodules Just change the location. 2011-05-28 15:14:54 -07:00
README Add a roadmap document and update the README. 2011-06-29 09:38:03 -07:00

Phabricator is a open source collection of web applications which make it easier
to write, review, and share source code. Phabricator was developed at Facebook.

This is an early release. It's pretty high-quality and usable, but under
active development so things may change quickly.

You can learn more about the project and find links to documentation and
resources at: http://phabricator.org/

LICENSE

Phabricator is released under the Apache 2.0 license except as otherwise noted.
http://www.apache.org/licenses/LICENSE-2.0