1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00
phorge-phorge/scripts
epriestley 39b4d20ce5 Create AphrontWriteGuard, a backup mechanism for CSRF validation
Summary:
Provide a catchall mechanism to find unprotected writes.

  - Depends on D758.
  - Similar to WriteOnHTTPGet stuff from Facebook's stack.
  - Since we have a small number of storage mechanisms and highly structured
read/write pathways, we can explicitly answer the question "is this page
performing a write?".
  - Never allow writes without CSRF checks.
  - This will probably break some things. That's fine: they're CSRF
vulnerabilities or weird edge cases that we can fix. But don't push to Facebook
for a few days unless you're prepared to deal with this.
  - **>>> MEGADERP: All Conduit write APIs are currently vulnerable to CSRF!
<<<**

Test Plan:
  - Ran some scripts that perform writes (scripts/search indexers), no issues.
  - Performed normal CSRF submits.
  - Added writes to an un-CSRF'd page, got an exception.
  - Executed conduit methods.
  - Did login/logout (this works because the logged-out user validates the
logged-out csrf "token").
  - Did OAuth login.
  - Did OAuth registration.

Reviewers: pedram, andrewjcg, erling, jungejason, tuomaspelkonen, aran,
codeblock
Commenters: pedram
CC: aran, epriestley, pedram
Differential Revision: 777
2011-08-16 13:29:57 -07:00
..
daemon Show logs to the console in 'phd debug' 2011-06-26 20:41:08 -07:00
install Add a garbage collector daemon 2011-07-05 13:49:11 -07:00
mail Skip attaching 'inline' text attachments 2011-06-12 22:38:57 -07:00
repository Update Phabricator to new PhutilServiceProfiler APIs 2011-05-16 17:10:18 -07:00
search Added subscriber view to Maniphest. 2011-07-07 14:08:52 -07:00
setup Test for pcntl availability from the command line, not Apache 2011-05-30 21:02:08 -07:00
sql Script to selectively convert MyISAM tables to InnoDB 2011-07-11 11:42:28 -07:00
user Mask typed passwords as they are entered into 'accountadmin' 2011-05-28 11:52:59 -07:00
__init_env__.php Set time zone for PhabricatorRepositoryCommitDiscoveryDaemon 2011-05-30 15:38:43 -07:00
__init_script__.php Create AphrontWriteGuard, a backup mechanism for CSRF validation 2011-08-16 13:29:57 -07:00
celerity_mapper.php Fix typo in Celerity mapper 2011-08-03 23:25:40 -07:00