mirror of
https://we.phorge.it/source/phorge.git
synced 2024-11-11 17:32:41 +01:00
38c83ef846
Summary: Django released a security update recently dealing with malicious "Host" headers: https://www.djangoproject.com/weblog/2012/oct/17/security/ We're vulnerable to the same attack. Plug the hole. The risk here is that an attacker does something like this: # Register "evil.com". # Point it at secure.phabricator.com in DNS. # Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com". # They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize. # The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request. Test Plan: Unit tests. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D3766 |
||
---|---|---|
.. | ||
AphrontRequestTestCase.php |