revi-archive/phorge-phorge
1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-24 07:42:40 +01:00
Code Issues Releases Wiki Activity
phorge-phorge/src/infrastructure/env/__tests__
History
epriestley cedb0c045a Lock down accepted next URI values for redirect after login 
Summary:
I locked this down a little bit recently, but make
double-extra-super-sure that we aren't sending the user anywhere suspicious or
open-redirecty. This also locks down protocol-relative URIs (//evil.com/path)
although I don't think any browsers do bad stuff with them in this context, and
header injection URIs (although I don't think any of the modern PHP runtimes are
vulnerable).

Test Plan:
  - Ran tests.
  - Hit redirect page with valid and invalid next URIs; was punted to / for
invalid ones and to the right place for valid ones.

Reviewers: btrahan, jungejason

Reviewed By: btrahan

CC: arice, aran, epriestley, btrahan

Differential Revision: https://secure.phabricator.com/D1369
2012-01-13 11:58:45 -08:00
..
__init__.php Lock down accepted next URI values for redirect after login 2012-01-13 11:58:45 -08:00
PhabricatorEnvTestCase.php Lock down accepted next URI values for redirect after login 2012-01-13 11:58:45 -08:00