1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-12-23 22:10:55 +01:00
No description
Find a file
epriestley 42cf7f6faa Make the current session key a component of the CSRF token
Summary: Fixes T5510. This purely reduces false positives from HackerOne: we currently rotate CSRF tokens, but do not bind them explicitly to specific sessions. Doing so has no real security benefit and may make some session rotation changes more difficult down the line, but researchers routinely report it. Just conform to expectations since the expected behavior isn't bad and this is less work for us than dealing with false positives.

Test Plan:
  - With two browsers logged in under the same user, verified I was issued different CSRF tokens.
  - Verified the token from one browser did not work in the other browser's session.

Reviewers: btrahan

Reviewed By: btrahan

Subscribers: epriestley

Maniphest Tasks: T5510

Differential Revision: https://secure.phabricator.com/D10136
2014-08-04 12:04:47 -07:00
bin Add a bin/hunks script to manage migrations of hunk data 2014-06-03 18:01:23 -07:00
conf Remove @group annotations 2014-07-10 08:12:48 +10:00
externals Update Stripe PHP API 2014-07-13 09:19:07 -07:00
resources Give files uploaded to objects a very restrictive view policy 2014-08-02 14:46:13 -07:00
scripts Allow worker tasks to have priorities 2014-07-12 03:02:06 +10:00
src Make the current session key a component of the CSRF token 2014-08-04 12:04:47 -07:00
support Return a HTTP 500 instead of a HTTP 400 if an internal error occurs in the Aphlict server 2014-07-18 09:20:00 +10:00
webroot Give files uploaded to objects a very restrictive view policy 2014-08-02 14:46:13 -07:00
.arcconfig Update .arclint in Phabricator for phutil-library lint 2014-05-12 06:01:30 -07:00
.arclint Rename Conduit classes 2014-07-25 10:54:15 +10:00
.editorconfig Specify config for text editors 2012-11-03 22:34:44 -07:00
.gitignore Update .gitignore. 2014-06-14 11:44:19 -07:00
LICENSE Delete license headers from files 2012-11-05 11:16:51 -08:00
NOTICE Update Phabricator NOTICE file to reflect modern legal circumstances 2014-06-25 13:42:13 -07:00
README Reformat README as Remarkup 2014-07-16 22:10:36 +10:00

Phabricator is an open source collection of web applications which help
software companies build better software.

Phabricator includes applications for:

  - reviewing and auditing source code;
  - hosting and browsing repositories;
  - assembling a party to venture forth;
  - tracking bugs;
  - hiding stuff from coworkers; and
  - also some other things.

You can learn more about the project (and find links to documentation and
resources) [[http://phabricator.org/ | here]].

Phabricator is developed and maintained by [[http://phacility.com/ |
Phacility]]. The first version of Phabricator was originally built at Facebook.

= LICENSE =
Phabricator is released under the Apache 2.0 license except as otherwise noted.