1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-23 15:22:41 +01:00
phorge-phorge/src/aphront
epriestley d3e700ce19 Further mitigate BREACH by reducing reflectiveness
Summary:
Ref T3684. The URI itself is reflected in a few places. It is generally not dangerous because we only let you add random stuff to the end of it for one or two controllers (e.g., the file download controller lets you add "/whatever.jpg"), but:

  - Remove it entirely in the main request, since it serves no purpose.
  - Remove query parameters in Ajax requests. These are available in DarkConsole proper.

Also mask a few things in the "Request" tab; I've never used these fields when debugging or during support, and they leak quasi-sensitive information that could get screenshotted or over-the-shoulder'd.

I didn't mitgate `__metablock__` because I think the threat is so close to 0 that it's not worthwhile.

Test Plan: Used Darkconsole, examined Requests tab.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3684

Differential Revision: https://secure.phabricator.com/D6699
2013-08-07 16:09:25 -07:00
..
__tests__ Add passthru to AphrontRequest 2012-12-11 17:27:02 -08:00
configuration Handle "multipart/form-data" correctly even if we get the data 2013-08-04 11:37:17 -07:00
console Further mitigate BREACH by reducing reflectiveness 2013-08-07 16:09:25 -07:00
exception Delete license headers from files 2012-11-05 11:16:51 -08:00
response Further mitigate BREACH by reducing reflectiveness 2013-08-07 16:09:25 -07:00
sink Share more HTTPSink code 2012-12-25 06:17:45 -08:00
AphrontController.php Use delegation to generalize application search controllers 2013-05-30 14:09:02 -07:00
AphrontRequest.php Fix exception with "phabricator.allowed-uris" when trying to set cookies 2013-07-22 12:21:08 -07:00
AphrontURIMapper.php Delete license headers from files 2012-11-05 11:16:51 -08:00