1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-28 01:32:42 +01:00
phorge-phorge/src/view
epriestley 3aa17c7443 Prevent CSRF uploads via /file/dropupload/
Summary:
We don't currently validate CSRF tokens on this workflow. This allows an
attacker to upload arbitrary files on the user's behalf. Although I believe the
tight list of servable mime-types means that's more or less the end of the
attack, this is still a vulnerability.

In the long term, the right solution is probably to pass CSRF tokens on all Ajax
requests in an HTTP header (or just a GET param) or something like that.
However, this endpoint is unique and this is the quickest and most direct way to
close the hole.

Test Plan:
  - Drop-uploaded files to Files, Maniphest, Phriction and Differential.
  - Modified CSRF vaidator to use __csrf__.'x' and verified uploads and form
submissions don't work.

Reviewers: andrewjcg, aran, jungejason, tuomaspelkonen, erling
Commenters: andrewjcg, pedram
CC: aran, epriestley, andrewjcg, pedram
Differential Revision: 758
2011-08-16 13:19:10 -07:00
..
base Get rid of +x on a bunch of nonexecutable files because I failed to set 2011-04-02 16:47:20 -07:00
control Improve display behavior of commit messages in Diffusion 2011-07-31 12:05:06 -07:00
dialog Allow projects to be quickly added from the Maniphest task creation interface 2011-06-13 10:17:08 -07:00
form Prevent CSRF uploads via /file/dropupload/ 2011-08-16 13:19:10 -07:00
layout Tweak style on "Create Another Task" button 2011-08-03 13:15:18 -07:00
null Get rid of +x on a bunch of nonexecutable files because I failed to set 2011-04-02 16:47:20 -07:00
page Prevent CSRF uploads via /file/dropupload/ 2011-08-16 13:19:10 -07:00
utils Use phabricator_ time functions in more places 2011-06-26 10:38:25 -07:00
widget/keyboardshortcuts Provide basic keyboard navigation support for Differential. 2011-06-09 14:55:44 -07:00