phorge-phorge

mirror of https://we.phorge.it/source/phorge.git synced 2024-11-11 17:32:41 +01:00

History

epriestley 38c83ef846 Defuse a "Host:" header attack Summary: Django released a security update recently dealing with malicious "Host" headers: https://www.djangoproject.com/weblog/2012/oct/17/security/ We're vulnerable to the same attack. Plug the hole. The risk here is that an attacker does something like this: # Register "evil.com". # Point it at secure.phabricator.com in DNS. # Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com". # They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize. # The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request. Test Plan: Unit tests. Reviewers: vrana, btrahan Reviewed By: vrana CC: aran Differential Revision: https://secure.phabricator.com/D3766	2012-10-22 10:49:06 -07:00
..
AphrontRequestTestCase.php	Defuse a "Host:" header attack	2012-10-22 10:49:06 -07:00

epriestley 38c83ef846 Defuse a "Host:" header attack

Summary:
Django released a security update recently dealing with malicious "Host" headers:

https://www.djangoproject.com/weblog/2012/oct/17/security/

We're vulnerable to the same attack. Plug the hole.

The risk here is that an attacker does something like this:

  # Register "evil.com".
  # Point it at secure.phabricator.com in DNS.
  # Send a legitimate user a link to "secure.phabricator.com:ignored@evil.com".
  # They login and get cookies. Normally Phabricator refuses to set cookies on domains it does not recognize.
  # The attacker now points "evil.com" at his own servers and reads the auth cookies on the next request.

Test Plan: Unit tests.

Reviewers: vrana, btrahan

Reviewed By: vrana

CC: aran

Differential Revision: https://secure.phabricator.com/D3766

2012-10-22 10:49:06 -07:00

AphrontRequestTestCase.php

Defuse a "Host:" header attack

2012-10-22 10:49:06 -07:00