1
0
Fork 0
mirror of https://we.phorge.it/source/phorge.git synced 2024-11-13 10:22:42 +01:00
phorge-phorge/src/applications/auth/controller
epriestley 5b1d9c935a After writing "next_uri", don't write it again for a while
Summary:
Fixes T3793. There's a lot of history here, see D4012, T2102. Basically, the problem is that things used to work like this:

  - User is logged out and accesses `/xyz/`. After they login, we'd like to send them back to `/xyz/`, so we set a `next_uri` cookie.
  - User's browser has a bunch of extensions and now makes a ton of requests for stuff that doesn't exist, like `humans.txt` and `apple-touch-icon.png`. We can't distinguish between these requests and normal requests in a general way, so we write `next_uri` cookies, overwriting the user's intent (`/xyz/`).

To fix this, we made the 404 page not set `next_uri`, in D4012. So if the browser requests `humans.txt`, we 404 with no cookie, and the `/xyz/` cookie is preserved. However, this is bad because an attacker can determine if objects exist and applications are installed, by visiting, e.g., `/T123` and seeing if they get a 404 page (resource really does not exist) or a login page (resource exists). We'd rather not leak this information.

The comment in the body text describes this in more detail.

This diff sort of tries to do the right thing most of the time: we write the cookie only if we haven't written it in the last 2 minutes. Generally, this should mean that the original request to `/xyz/` writes it, all the `humans.txt` requests don't write it, and things work like users expect. This may occasionally do the wrong thing, but it should be very rare, and we stop leaking information about applications and objects.

Test Plan: Logged out, clicked around / logged in, used Charles to verify that cookies were set in the expected way.

Reviewers: btrahan

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T3793

Differential Revision: https://secure.phabricator.com/D8047
2014-01-23 14:16:08 -08:00
..
config Move PhabricatorTagView to PHUITagView 2014-01-14 14:09:52 -08:00
PhabricatorAuthConfirmLinkController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorAuthController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLinkController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthLoginController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorAuthNeedsApprovalController.php Slightly improve behavior for unverified + unapproved users 2013-11-21 12:58:58 -08:00
PhabricatorAuthOldOAuthRedirectController.php Make old GitHub OAuth URIs work for now 2013-06-21 06:11:57 -07:00
PhabricatorAuthRegisterController.php Add a common password blacklist 2014-01-23 14:01:18 -08:00
PhabricatorAuthStartController.php After writing "next_uri", don't write it again for a while 2014-01-23 14:16:08 -08:00
PhabricatorAuthUnlinkController.php Move all account link / unlink to new registration flow 2013-06-17 06:12:45 -07:00
PhabricatorAuthValidateController.php After writing "next_uri", don't write it again for a while 2014-01-23 14:16:08 -08:00
PhabricatorDisabledUserController.php Restore merge of phutil_tag. 2013-02-13 14:51:18 -08:00
PhabricatorEmailLoginController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorEmailTokenController.php After writing "next_uri", don't write it again for a while 2014-01-23 14:16:08 -08:00
PhabricatorEmailVerificationController.php Provide convenience method addTextCrumb() to PhabricatorCrumbsView 2013-12-18 17:47:34 -08:00
PhabricatorLogoutController.php Consolidate use of magical cookie name strings 2014-01-23 14:01:35 -08:00
PhabricatorMustVerifyEmailController.php Recover more flexibly from an already-verified email 2013-11-21 14:41:32 -08:00
PhabricatorRefreshCSRFController.php Delete license headers from files 2012-11-05 11:16:51 -08:00